Persons with Significant Control: PSCs

From 30th June 2016 the ‘People with Significant Control’ Companies House register went live. This means that certain United Kingdom (UK) companies, Limited Liability Partnerships (LLPs), Societas Europaea (SE), and Eligible Scottish Partnerships (ESPs) are required to record certain details of their beneficial ownership. The idea is simple, by making publicly available information about ownership of companies, LLPs, SE, and ESPs, this increases transparency and ownership and control of UK firms; its helps investors with company investment decisions; and it also helps to tackle crime relating to inter aliacorruption, money laundering, tax evasion, and terrorist financing. Whilst the idea is simple, in practice the ‘Persons with Significant Control’ (PSC) legal and regulatory framework is rather more operationally complex.

For starters, it is not only necessary to review the existing legislative framework spread out across numerous pieces of primary and secondary legislation, it is also necessary to review a range of official and statutory guidance provided. In relation to the former, these include: (1)The Small Business, Enterprise and Employment Act 2015; (2) The Companies Act 2016 (Section 12A, Part 21A, and Part 24); (3) The Scottish Partnerships (Register of People with Significant Control) Regulations 2017; (4) The Information about People with Significant Control (Amendment) Regulations 2017; (5) The European Public Limited-Liability Company (Register of People with Significant Control) Regulations 2016; (6) The Limited Liability Partnerships (Register of People with Significant Control) Regulations 2016; and (7) The Register of People with Significant Control Regulations 2016.

In relation to the latter, these include: (1) Guidance for eligible Scottish partnerships on the meaning of ‘significant influence or control’; (2) Guidance on PSCs; (3) Guidance on the protection regime for suppressing PSC information in exceptional circumstances; (4) Statutory guidance for companies on the meaning of ‘significant influence or control’; (5) Statutory guidance for LLPs on the meaning of ‘significant influence or control’; and (6) Summary guidance on the PSC register for companies; Furthermore, those businesses affected now also need to be aware of the array of sanctions, such as fines and criminal offences, that can be imposed on firms and individuals that fail to comply with the range of legal duties now set out in the PSC framework. This makes fully understanding the PSC operational framework a top priority for covered firms.

From 6th April 2016, all companies and LLPs are required to keep a register of PSC and to file the information on their register with Companies House (from 26th June 2017, this requirement was extended to unregistered companies, certain listed companies, and also ESPs). In addition, from 30th June 2016, all companies and LLPs are also required to deliver to Companies House certain information regarding their PSC whenever there is a change in PSC, and when making an annual confirmation statement. The PSC Register (PSCR) requires personal details of a PSC to be entered, such as name; date of birth; nationality; residential address; service address; date of entry on the PSCR; and conditions which apply for the PSC. The PSCR is available to search to the public free of charge. Over time, as Companies House receives more information, the service will be able to provide a more complete picture about the beneficial owners behind UK companies, LLPs, SE, and ESPs. As noted by Companies House:

“In terms of greater transparency, this is a big step forward to help to further strengthen confidence in business and deliver real benefits to the UK economy as a whole.”

From a high-level perspective, firms are required to identify PSC; enter information on the PSCR; and update PSC information, as necessary. Some of the operational challenges stem from the interpretation of requirements under the PSC framework. For example, firms need to understand what ‘taking reasonable steps’ to find out if there are PSC over a company, LLP, SE, and ESP means, i.e. the ‘Reasonable Steps Test’. Firms also need to understand how to carry out the Reasonable Steps Test on both an objective and a subjective basis. It should be noted that failure to take reasonable steps under certain circumstances constitutes a criminal offence.

Firms need to understand how to categorise PSCs according to five pre-defined categories, with such categories and categorisation tests dependent on the type of entity under review, e.g. company, LLP, trust. Where, for example, a company is owned or controlled by a legal entity, firms need to understand when they are required by law to enter the legal entity’s details onto the PSC register, i.e. when the legal entity is both RELEVANT and REGISTRABLE. Firms also need to understand when they are required by law to serve notice on individuals and legal entities in order to confirm information. Furthermore, what is also challenging, is that firms also need be able to understand and interpret what “having the right to exercise, or actually exercising, significant influence or control over the activities of a trust or firm which is not a legal entity” means in practice.

From an operational perspective, firms also need to be able to understand, not only the use of relevant forms (e.g. PSC01 (Notice of Individual PSC); PSC04 (Notice of Change of PSC Details); PSC08 (Notice of PSC Statements); PSC09 (Notice of Update to PSC Statements)), but also official boilerplate wording that is required to be entered on the Companies House register (e.g. ‘No PSCs or Relevant Legal Entities (RLEs)'; 'Unidentified PSC'; (3) 'Unconfirmed Particulars'; 'Taking Reasonable Steps'; 'Notices'; 'Conditions'. For more complex operational groups of firms, and firms with multiple types of operating entities (e.g. chains of trusts, complex partnerships), the PSC operational requirements may require significant input from firms, in terms of internal ‘mapping’ of complex ownership structures, and identification of legal requirements in relation to all existing operational entities. For smaller and medium-sized firms, the priority should be getting to grips with the interpretation of specific terms and categories, and becoming more acquainted with the operational tests involving PSCs.

PSD2: Regulation, Strategy, and Innovation

PSD2: Regulation, Strategy, and Innovation

 

Strong Customer Authentication 

Across the European Union (EU) the original revised Payment Services Directive (PSD2) Strong Customer Authentication (SCA) final implementation date of 14th September 2019 has now been delayed by the European Banking Authority (EBA). It was previously noted that those in breach of the SCA law would have to provide a fallback mechanism (i.e. direct access) which was a costly investment on top of the dedicated interface, so Third Party Providers (TPPs) would have another way of accessing accounts and performing payment initiation services (Tink, 2019). Tink (2019) noted that:

“These penalties are severe because the banks who don’t comply are essentially inhibiting TPPs from offering aggregation and payment initiation services – and bank customers from taking advantage of these services. And because once it was decided this was the direction we were all going with PSD2 – toward better consumer protection, more innovation and more competition – we all became dependent on each other to get there.”

In the United Kingdom (UK) the financial services regulatory body, the Financial Conduct Authority (FCA), has now confirmed that they will delay full implementation until 14th March 2021 in order to allow time for businesses to create mitigation plans. In addition, the FCA in conjunction with UK Finance, has developed a rollout plan with staged compliance points ranging from 14th September 2019 to 14th March 2021. The extended grace period of 18 months is only applicable to any payments that are taken from within the UK, which means that if UK businesses collect cross-border payments from other countries within the European Economic Area (EEA), the SCA rules applicable to those particular EEA countries will apply.

Although for many businesses, this extended grace period will provide some much-needed breathing space, the envisaged harmonised and streamlined implementation of the PSD2 framework across the EU is now no longer in the works. Indeed, even as far back as March 2019 statistics from a survey of 442 European banks carried out by Swedish open banking platform ‘Tink’, highlighted that close to half of banks (41%) surveyed, had failed to meet the PSD2 deadline for the provision of a testing environment (i.e. sandbox) for TPPs (Finextra, 2019a).

The survey had covered 10 markets across the EU, and whilst countries such as Belgium, Finland, Germany, and Sweden all had high compliance rates above 80%, other countries such as Denmark, France, Norway, and Spain all featured lower compliance rates below 50% (Finextra, 2019a). Other countries such as the Netherlands (67%) and the UK (64%) featured compliance rates in between these two extremes. 

Market Research and PSD2 New Strategic Opportunities

The widespread failures to meet such implementation deadlines highlighted, not only the sizeable burden being placed on banks to meet such tight technological implementation deadlines, but also the potential subsequent disruption to various open banking platforms and services that had been caused owing to the missed deadlines (Finextra, 2019a). In practice this has precipitated a strategic free-for-all for banks and new TPPs as the new pan-European PSD2 payments market is now up for grabs. Those banks and new TPPs that have been able to meet technological deadlines, and are eager to implement advanced PSD2 strategic initiatives in order to capitalise on first mover advantages, are leading the PSD2 pack. 

In fact, Swedish Personal Finance Management (PFM) platform Tink completed a €56 million investment round in February 2019 as it prepared to roll out its business out to five new European markets (Austria, Belgium, Germany, Spain, the UK) in order to take advantage of new Open Banking rules (Finextra, 2019b). In practice, Tink is aggressively expanding its growth, and is not only set to double its European staff to 300 full-time employees by opening four new offices, but it is also set to expand its European connectivity across 20 European markets by the end of 2019 (Finextra, 2019b).

Market research has also identified the huge need for PSD2 firms to implement highly comprehensive and well-researched strategic plans, in order to capitalise on PSD2 framework developments across the EU in a timely manner. For example, a new study by ING was carried out among 1,500 Dutch citizens as part of its half-yearly Digital Monitor (Touchtech Payments, 2019). At the time the study showed that the EU’s PSD2 framework was still unknown to 82% of the Dutch population (Touthtech Payments, 2019). Before the respondents were informed of PSD2, 67% held a “negative” or “very negative” perception. This demonstrated that PSD2 firms need to think far, far beyond technological developments, and in addition need to concentrate on longer term adaptation and educational strategies for new customers in potential new markets. 

Indeed, much more than that, such operational strategies need to be specifically researched and segmented, not only for individual EU countries, but also for demographic segments across those individual EU countries. For example, it was noted that:

“…after respondents were explained what PSD2 is, almost half (46%) said they would be glad to avail of the new payment services that will be made possible by the directive. The number of respondents under the age of 34 who plan to use the services unlocked by PSD2 was nearly 40% higher than for the population overall” (Touchtech Payments, 2019).

This type of finding would suggest that PSD2 firm strategies in the Netherlands should focus on a segmentation approach whereby a specific target population (i.e. 18 > AGE < 34) would form the primary target which needs, not only to be continually educated and prepared on PSD2 developments, but also potentially ‘acclimatised’ to future PSD2 initiatives, offerings, and services to be offered by specific PSD2 firms. 

In addition, it was found that once PSD2 had been explained to the respondents, many of the respondents responded positively to the envisaged changes, with many respondents showing enthusiasm for a number of new proposed services, such as: (1) consolidated payment accounts (29%); (2) viewing all balances in one place (28%); (3) using savings applications (Apps) (26%); (4) using household Apps for payments and credit cards (25%); and (5) making online purchases without credit cards (21%) (Touchtech Payments, 2019). This kind of research highlights the significant benefits to be gained from PSD2 strategic initiatives that are grounded in jurisdictional and demographic research, as specific offerings by PSD2 firms can be specifically tailored to efficiently align with the anticipated demand that has been deduced from PSD2 field research.

Nevertheless, at the same time such positive responses can also be contrasted with the responses elicited from 400 senior decision-makers in retail banks based in Australia, France, Poland, and the UK which were surveyed by US retail banking technology provider Fiserv (Touchtech Payments, 2019). The results from this survey showed that most (54%) bankers felt that they had insufficient information in order to become compliant with PSD2 and other open banking requirements by the forthcoming deadlines (Touchtech Payments, 2019). 

In addition, most of those who had already implemented some form of open banking disagreed that they had enough information to remain compliant, and only 8% believed that they had enough people and the right skill sets to comply (Touchtech Payments, 2019). Furthermore, regarding monetisation opportunities around open banking, 44% of retail bankers believed it offered monetisation opportunities while 19% believed that open banking did not (Touchtech Payments, 2019). The results of these types of surveys highlight the real and pressing need for these types of firms and individuals to obtain much more extensive and comprehensive training, not only in the forthcoming PSD2 and Open Banking regulatory frameworks, but in fully understanding the monetisation opportunities and commercial strategies open to banks, Financial Technology (FinTech) firms, Regulatory Technology (RegTech) firms, and new TPPs.

 

Another market survey undertaken in Sweden by the analytics software firm ‘FICO’ which was executed by ‘SIFO’, showed that few Swedes were prepared to share their banking information with a third party, and that nearly half of the respondents (46%) did not want to share information with any third party (FICO, 2018). In addition, the survey showed that there were mixed views on whether PSD2 would lead to an increase or decrease in fraud (FICO, 2018). Again, these types of findings shows how crucial it is for PSD2 firms to truly understand the markets which they wish to develop and operate in, and the problems, obstacles, and challenges they must overcome in order to successfully develop PSD2 offerings. The survey showed that only 36% of respondents knew about PSD2, with the lowest awareness among those younger people aged 16-24, where only 29% knew about it (FICO, 2018). Dylan Jones from the Nordics, FICO commented that:

“Our survey shows though that few consumers know about the directive, which suggests that it will take some time before customers are ready to give third parties the necessary access in order to be able to take advantage of the new services that will launch” (FICO, 2018).

Another survey undertaken by FICO on 500 UK consumers found similar findings (FICO, 2019). It was found that only half (53%) of UK customers would give their bank their mobile number to comply with new fraud rules, and that this number dropped to 47% for consumers aged 18-24 (FICO, 2019). Moreover, one in four respondents noted that they would complain if asked, either to the bank, on social media, or to a consumer association or newspaper (FICO, 2019). These findings also coincided with a report by UK consumer advice firm ‘Which?’, which reported that 92% of the public was unaware of the PSD2 initiative which officially launched on 13th January 2018 (Dhami, 2018). It can be surmised that strategic educational marketing initiatives must form a crucial part of marketing and business development strategies in order to achieve effective PSD2 market penetration in the long term.

 

PSD2 Strategic Challenges

The PSD2 and Open Banking frameworks have brought forth a host of strategic challenges which FinTech firms, RegTech firms, and TPPs must address and successfully overcome, if they are to strategically leverage the new opportunities available under the PSD2 framework. For example, it has been identified that the absence of common standards for APIs to be used for dedicated communications interfaces is causing fragmentation in the market (Deloitte, 2018). Deloitte (2018) observes that:

“There is no EU-wide and sometimes not even national, consensus on which industry-issued standard (e.g. the Berlin Group, the UK Open Banking, PRETA, etc) to adopt; and some ASPSPs have chosen to develop bespoke APIs, either on their own or in partnership with others.

We believe that the lack of common standards will lower the level of interoperability and, at least in the short to medium term, present an obstacle to the development of PSD2-enabled services and products, particularly across borders.”

This lack of a common standards framework across UK and EU markets is said to have the effect of stalling innovation, as banks can define their own interface, resulting in diverging standards and a sub-optimal level of API capabilities generally (Dunlop, n.d.).

Another major stumbling block for firms is that consumer awareness of Open Banking products and services remains low (Deloitte, 2018). Consequently, it is envisaged that this fact, combined with the high frequency of cyber-attacks and data privacy breaches in the news, will act together to constrain take-up, interest, and trust in new PSD2 services because of a latent suspicion of new products and services based on the sharing of personal and sensitive data, especially by less known brands (Deloitte, 2018). Deloitte (2018) comments that “This suggests that a major effort by firms may be required to improve consumers’ awareness, interest, and trust in this space.”

In fact, a survey of 4,000 customers across France, Germany, Spain, and the UK undertaken by GoCardless found strong evidence to substantiate such views. The survey asked customers questions on feelings about certain specific elements of the new PSD2 SCA requirements, and also how increased security at checkout would influence their buying behaviour (GoCardless, 2019). The research had a range of interesting and relevant findings. The respondents were first asked about their previous shopping habits and many reported that they had abandoned a complex payment process in the past (France, n=33%;  Germany, n=48%; Spain, n=40%; UK, n=40%) (GoCardless, 2019).

In addition, it was found that some customers would consider shopping less at their favourite brand if they were faced with a more complex checkout process (France, n=23%; Germany, n=26%; Spain, n=24%; UK, n=23%; would shop less at their favourite brand if security measures at checkout increased) (GoCardless, 2019). It was also found that likelihood of purchase abandonment was even higher when shopping with brands that are new to the shopper, especially in markets such as Germany where 36% of respondents would cancel a purchase if a new brand had a lengthy (but still secure) payment process (GoCardless, 2019).  

The survey showed that there were clear differences in responses elicited by the groups across the different markets. In the UK for example, it was identified that if the favourite brand of the respondents increased security and length of checkout process, then 43% would be frustrated but would still shop with them, whereas 23% said that they would actually shop with the brand less (GoCardless, 2019). Clearly, such a finding is significant in terms of PSD2 preparations, especially in terms of what needs to be completed from a technological perspective (i.e. frictionless checkout experience) combined with a pre-implementation customer PSD2 educational strategy.

There were higher levels of comfort in terms of the provision of security information during an online purchase identified, for example, 76% comfortable supplying agreed security information (e.g. passwords); 78% comfortable supplying device information (e.g. mobile phone); and 69% comfortable supplying biometric information (e.g. fingerprint) (GoCardless, 2019). However, it was also found that 44% of respondents had abandoned an online purchase because of complex security procedures at checkout and 40% of respondents said that they would feel suspicious if faced with a more complex checkout process (GoCardless, 2019). Interestingly, 63% of respondents said they would be likely to pay for online subscriptions using Direct Debit if it meant that they could avoid lengthy checkout processes (GoCardless, 2019). 

There are three other key concerns related to PSD2 and Open Banking that have been identified. The first relates to consumer ethics, namely, the increased concern by experts that increased third-party access to accounts and data may create opportunities for TPPs to ‘intrusively profile customers’ (Dhami, 2018). This in turn may potentially lead to an increase in predatory lending, where TPPs target ‘vulnerable’ borrowers with highly segmented advertising in order to sell products and services (Dhami, 2018). The question, therefore, is whether there is sufficient oversight on this potential new imbalance between the new and highly significant power in the hands of lenders, and new segments of PSD2 borrowers? 

Another area of concern is that of a potentially significant increase in cybercrime. As the PSD2 framework heavily relies on the opening up of pre-existing banking channels and customer accounts, applying new security controls and processes to legacy IT systems may in practice be highly complex and costly (Dhami, 2018). This problem is augmented in relation to smaller new PSD2 firms that may in actuality not be equipped with to effectively deal with the new and highly complex and onerous PSD2 requirements relating to managing fraud, human error, identity theft, and also the loss of customer data (Dhami, 2018). Finally, it has been noted that the new Open Banking frameworks:

“…may trigger an increase in social engineering attacks against customers who may be inexperienced using new technology platforms. Risks include phishing, malware, fraudulent apps, and physical theft or loss of endpoint devices that could provide access to third parties” (Dhami, 2018).

 

PSD2 Strategy and Innovation

The previously identified surveyed perceptions and views are now absolutely crucial for FinTech firms, RegTech firms, and TPPs to take on board and incorporate in their developmental strategies. However, in practice it has been seen that many FinTech firms, RegTech firms, and TPPs are solely concentrating on developing, refining, and implementing their technological solutions, to the exclusion of marketing strategies and developmental strategies.  For example, a review by Deloitte (2018) identified that most Account Servicing Payment Service Providers (ASPSPs) that they had talked to across the EU believed that they were overall compliant with the PSD2 primary legislation requirements. It was noted that their focus had been on implementing regulatory requirements such as the European Banking Authority (EBA)’s guidance on Fraud Reporting, on finalising Application Programming Interfaces (APIs), and on implementing the requirements of the Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA)  and Common Secure Communication (CSC) (Deloitte, 2018).

In practice, it is submitted that this is a fatalistic approach in this new era of PSD2 regulation and technologies. Indeed, this is not simply market commentary, but in actuality market fact. For example, Storm-7 Consulting previously had enquiries from the payments firm ‘Iron Group’ in the UK, which wanted to have advice and training on PSD2 changes related to the subscription base model. Notwithstanding discussions on this area, Iron Group did not proceed with the training. Later that year Ironggroup, the digital agency expert in the subscription industry, ceased its activities in October 2017, highlighting the challenges in successfully navigating the new PSD2 strategic landscape. According to Dhami (2018):

“Open banking will generate increased competition between established providers and innovative new entrants aiming to make existing products more flexible, bespoke and convenient. These entities include the likes of Amazon, Apple, Google and Facebook, who have agility in their investment capabilities as well as an advanced technological architecture to utilize their customer data insights at scale.”

Koić (2019) is in accordance with such a viewpoint, and acknowledges that APIs allow firms to dip into customer data held by banks in order to create their own complimentary or alternative financial applications, meaning that tech leaders such as Google, Amazon, Facebook and Apple will be able to compete on the banks’ home territory. Koić (2019) notes that:

“Customers have come to expect that their banks will offer the same ease of use they get from the big four digital FANG companies – Facebook, Amazon, Netflix and Google. Customer-centricity is in vogue and the race is on for banks to deliver digital satisfaction.”

Although, this in theory may to a certain extent be true, it has been seen that this does not convey the full picture. Indeed, as has been noted previously, pre-existing customer sentiment and attitudes are a crucial part of the PSD2 strategic formula that PSD2 firms must develop, including the big digital FANG companies which many customers already have low feelings of trust in. Notwithstanding such large existing user bases, technology companies will only become fierce competition if they manage to find a formula to leverage their pre-existing customer base in a way that will ensure customer buy-in and trust across-the-board. And that is not an easy proposition to do in this new era of hidden PSD2 consumer sentiment and trust.

Some providers have already committed themselves to developing their commercial strategies early on, notwithstanding implementation problems and delays relating to SCA throughout the EU. For example, Vipps in Norway, Mobilepay in Denmark, Keks in Croatia, and Blik in Poland, have all started implementing strategic solutions, and even banks in the United States (US) are strategically evaluating opportunities and threats that may arise owing to PSD2 APIs (Koić, 2019). Some commentators believe that the majority of banks have treated PSD2 as an exercise in minimum compliance instead of looking for customer-led outcomes (Dunlop, n.d.). This means that many banks have foregone the opportunity to create slick applications to relaunch the authentication experience (e.g. by leveraging technology such as fingerprint ID), and have instead opted to conservatively redirect customers to a multipage web browser to authenticate (Dunlop, n.d.).

From a strategic perspective, it has been argued that:

“Whilst development remains ongoing, it is increasingly difficult to make a business case for committing resources to development of an API product on a grand scale when the size of the market is undeterminable… 

In the current Open Banking environment, the lack of scalability and certainty of direction of travel means that there is no advantage in being an early adopter of PSD2. 

For established fintechs there is always a desire to not be caught behind the innovation curve, but at the same time a business case needs to be evident before a commitment can be made to developing or modifying any product or payment service.” (Dunlop, n.d.). 

Given the huge amount of time needed to develop, test, refine, and perfect new PSD2 technologies and offerings; the huge amount of market research that still needs to be undertaken in order to more accurately identify consumer sentiment across multiple EU markets and consumer segments; the huge amount of time and effort that is needed in order to pre-educate potential markets and consumers; and given the highly differentiated, nuanced, and carefully orchestrated marketing and promotional activities required by PSD2 firms in the build up to widespread acceptance of new PSD2 technologies – to which many customers are already resistant to (owing to strong security and convenience preferences) – it is argued here that the belief that there is no advantage in being an early adopter of PSD2 is a highly flawed argument based on very little strategic knowledge behind PSD2 strategy and innovation.

Deloitte (2018) has identified that there has, to date, been little evidence regarding the emergence of any clear PSD2-based business models, although more ASPSPs are now looking beyond the narrow confines of PSD2 and seeking to invest and develop new “ecosystems” of partnerships with TPPs. This is undertaken by leveraging premium APIs in order to provide customers with a carefully organised marketplace experience that caters to their wider financial needs, across national and international markets (Deloitte, 2018). In addition, ASPSPs have been working on proofs of concept and pilot programmes that focus on Account Information Services (AIS) use cases (e.g. account aggregation services; PFM applications; loyalty programmes; credit risk underwriting; Small and Medium Sized Enterprises (SMEs) services) (Deloitte, 2018).

What has become clear is that PSD2 and Open Banking frameworks are highly complex areas that do not follow the developmental timelines previously established by historical EU legislative initiatives within the banking and financial services sectors. The frameworks that they usher in are both ground breaking and disruptive, notwithstanding the fact that their originally envisaged implementation timeline has been elongated. Contrary to certain market commentator beliefs, early adoption of PSD2 compliance programmes as well as strategic initiatives is imperative if PSD2 firms are to ensure that their propositions remain viable in the forthcoming paradigm shift of payment services within the EU. Indeed, for many firms, a lack of focus on strategic initiatives, market research initiatives, and educational market initiatives, means that many may find themselves struggling to develop market share, and at a loss to explain why they face such troubles. As summed up by Virdi (2016):

“PSD2 has the ability to force banks into a metamorphosis or be left behind as other visionary providers innovate, create closer customer relationships and develop new revenue streams. Simply being tactical is not enough; banks need to think strategically and differently if they are to remain relevant to their current customers and attract new ones.”

 

 

 

 

 

References

 

Deloitte (2018). Baby steps, but no giant leap: PSD2 at six months old. Deloitte LLP.

Dhami, I. (2018). Open Banking and PSD2: Disruption or Confusion? (31stJanuary), Security Intelligence, [Online], Available at: https://securityintelligence.com/open-banking-and-psd2-disruption-confusion/.

Dunlop, A. (n.d.). Open Banking and PSD2: A confused roadmap to innovation. PaysafeGroup.

FICO (2018). Risk & Compliance. (5thJune), [Online], Available at: https://www.fico.com/en/newsroom/swedes-confused-about-psd2-changes-to-payments.

FICO (2019). FICO Survey: UK Consumers Could Thwart Strong Customer Authentication. (31stJanuary), [Online], Available at: https://www.fico.com/en/newsroom/fico-survey-uk-consumers-could-thwart-strong-customer-authentication.

Finextra (2019a). 41% of banks missed PSD2 deadline says survey. (21stMarch), [Online], Available at: https://www.finextra.com/newsarticle/33569/41-of-banks-missed-psd2-deadline-says-survey.

Finextra (2019b). Sweden's Tink aims for pan-European coverage with €56 million in funding. (7thFebruary), [Online], Available at: https://www.finextra.com/newsarticle/33334/swedens-tink-aims-for-pan-european-coverage-with-56-million-in-funding/retail.

GoCardless (2019). Security vs. convenience in the payment experience. What matters most to online shoppers. 

Koić, M (2019). Breaking the bank: how financial institutions can embrace disruption. (5thMarch), The New Economy, [Online], Available at: https://www.theneweconomy.com/strategy/breaking-the-bank-how-financial-institutions-can-embrace-disruption

Tink (2019). What a missed PSD2 deadline says about the challenge of implementation. (21stMarch), [Online], Available at: https://tink.com/blog/2019/3/20/psd2-sandbox-status.

Touchtech Payments (2019). European citizens and banks still unclear over PSD2 provisions. (8thFebruary), [Online], Available at: https://medium.com/@touchtech/european-citizens-and-banks-still-unclear-over-psd2-provisions-f62daeb4220a.

Virdi, T. (2016). PSD2: One of the biggest disruptions in banking for decades. (26thJanuary), Global Banking & Finance Review, [Online], Available at: https://www.globalbankingandfinance.com/psd2-one-of-the-biggest-disruptions-in-banking-for-decades/.

PSD2: Regulation, Strategy, and Innovation: PART IV

PSD2 Strategy and Innovation (Continued)

Some providers have already committed themselves to developing their commercial strategies early on, notwithstanding implementation problems and delays relating to SCA throughout the EU. For example, Vipps in Norway, Mobilepay in Denmark, Keks in Croatia, and Blik in Poland, have all started implementing strategic solutions, and even banks in the United States (US) are strategically evaluating opportunities and threats that may arise owing to PSD2 APIs (Koić, 2019). Some commentators believe that the majority of banks have treated PSD2 as an exercise in minimum compliance instead of looking for customer-led outcomes (Dunlop, n.d.). This means that many banks have foregone the opportunity to create slick applications to relaunch the authentication experience (e.g. by leveraging technology such as fingerprint ID), and have instead opted to conservatively redirect customers to a multipage web browser to authenticate (Dunlop, n.d.).

From a strategic perspective, it has been argued that:

“Whilst development remains ongoing, it is increasingly difficult to make a business case for committing resources to development of an API product on a grand scale when the size of the market is undeterminable… 

In the current Open Banking environment, the lack of scalability and certainty of direction of travel means that there is no advantage in being an early adopter of PSD2. 

For established fintechs there is always a desire to not be caught behind the innovation curve, but at the same time a business case needs to be evident before a commitment can be made to developing or modifying any product or payment service.” 

Given the huge amount of time needed to develop, test, refine, and perfect new PSD2 technologies and offerings; the huge amount of market research that still needs to be undertaken in order to more accurately identify consumer sentiment across multiple EU markets and consumer segments; the huge amount of time and effort that is needed in order to pre-educate potential markets and consumers; and given the highly differentiated, nuanced, and carefully orchestrated marketing and promotional activities required by PSD2 firms in the build up to widespread acceptance of new PSD2 technologies – to which many customers are already resistant to (owing to strong security and convenience preferences) – it is argued here that the belief that there is no advantage in being an early adopter of PSD2 is a highly flawed argument based on very little strategic knowledge behind PSD2 strategy and innovation.

Deloitte (2018) has identified that there has, to date, been little evidence regarding the emergence of any clear PSD2-based business models, although more ASPSPs are now looking beyond the narrow confines of PSD2 and seeking to invest and develop new “ecosystems” of partnerships with TPPs. This is undertaken by leveraging premium APIs in order to provide customers with a carefully organised marketplace experience that caters to their wider financial needs, across national and international markets (Deloitte, 2018). In addition, ASPSPs have been working on proofs of concept and pilot programmes that focus on Account Information Services (AIS) use cases (e.g. account aggregation services; PFM applications; loyalty programmes; credit risk underwriting; Small and Medium Sized Enterprises (SMEs) services) (Deloitte, 2018).

What has become clear is that PSD2 and Open Banking frameworks are highly complex areas that do not follow the developmental timelines previously established by historical EU legislative initiatives within the banking and financial services sectors. The frameworks that they usher in are both ground breaking and disruptive, notwithstanding the fact that their originally envisaged implementation timeline has been elongated. Contrary to certain market commentator beliefs, early adoption of PSD2 compliance programmes as well as strategic initiatives is imperative if PSD2 firms are to ensure that their propositions remain viable in the forthcoming paradigm shift of payment services within the EU. Indeed, for many firms, a lack of focus on strategic initiatives, market research initiatives, and educational market initiatives, means that many may find themselves struggling to develop market share, and at a loss to explain why they face such troubles. As summed up by Virdi (2016):

“PSD2 has the ability to force banks into a metamorphosis or be left behind as other visionary providers innovate, create closer customer relationships and develop new revenue streams. Simply being tactical is not enough; banks need to think strategically and differently if they are to remain relevant to their current customers and attract new ones.”

References

Deloitte (2018). Baby steps, but no giant leap: PSD2 at six months old. Deloitte LLP.

Dhami, I. (2018). Open Banking and PSD2: Disruption or Confusion? (31stJanuary), Security Intelligence, [Online], Available at: https://securityintelligence.com/open-banking-and-psd2-disruption-confusion/.

Dunlop, A. (n.d.). Open Banking and PSD2: A confused roadmap to innovation. PaysafeGroup.

FICO (2018). Risk & Compliance. (5thJune), [Online], Available at: https://www.fico.com/en/newsroom/swedes-confused-about-psd2-changes-to-payments.

FICO (2019). FICO Survey: UK Consumers Could Thwart Strong Customer Authentication. (31stJanuary), [Online], Available at: https://www.fico.com/en/newsroom/fico-survey-uk-consumers-could-thwart-strong-customer-authentication.

Finextra (2019a). 41% of banks missed PSD2 deadline says survey. (21stMarch), [Online], Available at: https://www.finextra.com/newsarticle/33569/41-of-banks-missed-psd2-deadline-says-survey.

Finextra (2019b). Sweden's Tink aims for pan-European coverage with €56 million in funding. (7thFebruary), [Online], Available at: https://www.finextra.com/newsarticle/33334/swedens-tink-aims-for-pan-european-coverage-with-56-million-in-funding/retail.

GoCardless (2019). Security vs. convenience in the payment experience. What matters most to online shoppers. 

Koić, M (2019). Breaking the bank: how financial institutions can embrace disruption. (5thMarch), The New Economy, [Online], Available at: https://www.theneweconomy.com/strategy/breaking-the-bank-how-financial-institutions-can-embrace-disruption

Tink (2019). What a missed PSD2 deadline says about the challenge of implementation. (21stMarch), [Online], Available at: https://tink.com/blog/2019/3/20/psd2-sandbox-status.

Touchtech Payments (2019). European citizens and banks still unclear over PSD2 provisions. (8thFebruary), [Online], Available at: https://medium.com/@touchtech/european-citizens-and-banks-still-unclear-over-psd2-provisions-f62daeb4220a.

Virdi, T. (2016). PSD2: One of the biggest disruptions in banking for decades. (26thJanuary), Global Banking & Finance Review, [Online], Available at: https://www.globalbankingandfinance.com/psd2-one-of-the-biggest-disruptions-in-banking-for-decades/.

PSD2: Regulation, Strategy, and Innovation: PART III

PSD2: Regulation, Strategy, and Innovation: PART III

 

PSD2 Strategic Challenges (Continued)

The survey showed that there were clear differences in responses elicited by the groups across the different markets. In the UK for example, it was identified that if the favourite brand of the respondents increased security and length of checkout process, then 43% would be frustrated but would still shop with them, whereas 23% said that they would actually shop with the brand less (GoCardless, 2019). Clearly, such a finding is significant in terms of PSD2 preparations, especially in terms of what needs to be completed from a technological perspective (i.e. frictionless checkout experience) combined with a pre-implementation customer PSD2 educational strategy.

There were higher levels of comfort in terms of the provision of security information during an online purchase identified, for example, 76% comfortable supplying agreed security information (e.g. passwords); 78% comfortable supplying device information (e.g. mobile phone); and 69% comfortable supplying biometric information (e.g. fingerprint) (GoCardless, 2019). However, it was also found that 44% of respondents had abandoned an online purchase because of complex security procedures at checkout and 40% of respondents said that they would feel suspicious if faced with a more complex checkout process (GoCardless, 2019). Interestingly, 63% of respondents said they would be likely to pay for online subscriptions using Direct Debit if it meant that they could avoid lengthy checkout processes (GoCardless, 2019). 

There are three other key concerns related to PSD2 and Open Banking that have been identified. The first relates to consumer ethics, namely, the increased concern by experts that increased third-party access to accounts and data may create opportunities for TPPs to ‘intrusively profile customers’ (Dhami, 2018). This in turn may potentially lead to an increase in predatory lending, where TPPs target ‘vulnerable’ borrowers with highly segmented advertising in order to sell products and services (Dhami, 2018). The question, therefore, is whether there is sufficient oversight on this potential new imbalance between the new and highly significant power in the hands of lenders, and new segments of PSD2 borrowers? 

Another area of concern is that of a potentially significant increase in cybercrime. As the PSD2 framework heavily relies on the opening up of pre-existing banking channels and customer accounts, applying new security controls and processes to legacy IT systems may in practice be highly complex and costly (Dhami, 2018). This problem is augmented in relation to smaller new PSD2 firms that may in actuality not be equipped with to effectively deal with the new and highly complex and onerous PSD2 requirements relating to managing fraud, human error, identity theft, and also the loss of customer data (Dhami, 2018). Finally, it has been noted that the new Open Banking frameworks:

“…my trigger an increase in social engineering attacks against customers who may be inexperienced using new technology platforms. Risks include phishing, malware, fraudulent apps, and physical theft or loss of endpoint devices that could provide access to third parties” (Dhami, 2018).

 

PSD2 Strategy and Innovation

The previously identified surveyed perceptions and views are now absolutely crucial for FinTech firms, RegTech firms, and TPPs to take on board and incorporate in their developmental strategies. However, in practice it has been seen that many FinTech firms, RegTech firms, and TPPs are solely concentrating on developing, refining, and implementing their technological solutions, to the exclusion of marketing strategies and developmental strategies.  For example, a review by Deloitte (2018) identified that most Account Servicing Payment Service Providers (ASPSPs) that they had talked to across the EU believed that they were overall compliant with the PSD2 primary legislation requirements. It was noted that their focus had been on implementing regulatory requirements such as the European Banking Authority (EBA)’s guidance on Fraud Reporting, on finalising Application Programming Interfaces (APIs), and on implementing the requirements of the Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA)  and Common Secure Communication (CSC) (Deloitte, 2018).

In practice, it is submitted that this is a fatalistic approach in this new era of PSD2 regulation and technologies. Indeed, this is not simply market commentary, but in actuality market fact. For example, Storm-7 Consulting previously had enquiries from the payments firm ‘Iron Group’ in the UK, which wanted to have advice and training on PSD2 changes related to the subscription base model. Notwithstanding discussions on this area, Iron Group did not proceed with the training. Later that year Ironggroup, the digital agency expert in the subscription industry, ceased its activities in October 2017, highlighting the challenges in successfully navigating the new PSD2 strategic landscape. According to Dhami (2018):

“Open banking will generate increased competition between established providers and innovative new entrants aiming to make existing products more flexible, bespoke and convenient. These entities include the likes of Amazon, Apple, Google and Facebook, who have agility in their investment capabilities as well as an advanced technological architecture to utilize their customer data insights at scale.”

Koić (2019) is in accordance with such a viewpoint, and acknowledges that APIs allow firms to dip into customer data held by banks in order to create their own complimentary or alternative financial applications, meaning that tech leaders such as Google, Amazon, Facebook and Apple will be able to compete on the banks’ home territory. Koić (2019) notes that:

“Customers have come to expect that their banks will offer the same ease of use they get from the big four digital FANG companies – Facebook, Amazon, Netflix and Google. Customer-centricity is in vogue and the race is on for banks to deliver digital satisfaction.”

Although, this in theory may to a certain extent be true, it has been seen that this does not convey the full picture. Indeed, as has been noted previously, pre-existing customer sentiment and attitudes are a crucial part of the PSD2 strategic formula that PSD2 firms must develop, including the big digital FANG companies which many customers already have low feelings of trust in. Notwithstanding such large existing user bases, technology companies will only become fierce competition if they manage to find a formula to leverage their pre-existing customer base in a way that will ensure customer buy-in and trust across-the-board. And that is not an easy proposition to do in this new era of hidden PSD2 consumer sentiment and trust.

 

[TO BE CONTINUED]

 

 

References

Deloitte (2018). Baby steps, but no giant leap: PSD2 at six months old. Deloitte LLP.

Dhami, I. (2018). Open Banking and PSD2: Disruption or Confusion? (31stJanuary), Security Intelligence, [Online], Available at: https://securityintelligence.com/open-banking-and-psd2-disruption-confusion/.

Dunlop, A. (n.d.). Open Banking and PSD2: A confused roadmap to innovation. PaysafeGroup.

FICO (2018). Risk & Compliance. (5thJune), [Online], Available at: https://www.fico.com/en/newsroom/swedes-confused-about-psd2-changes-to-payments.

FICO (2019). FICO Survey: UK Consumers Could Thwart Strong Customer Authentication. (31stJanuary), [Online], Available at: https://www.fico.com/en/newsroom/fico-survey-uk-consumers-could-thwart-strong-customer-authentication.

Finextra (2019a). 41% of banks missed PSD2 deadline says survey. (21stMarch), [Online], Available at: https://www.finextra.com/newsarticle/33569/41-of-banks-missed-psd2-deadline-says-survey.

Finextra (2019b). Sweden's Tink aims for pan-European coverage with €56 million in funding. (7thFebruary), [Online], Available at: https://www.finextra.com/newsarticle/33334/swedens-tink-aims-for-pan-european-coverage-with-56-million-in-funding/retail.

GoCardless (2019). Security vs. convenience in the payment experience. What matters most to online shoppers. 

Koić, M (2019). Breaking the bank: how financial institutions can embrace disruption. (5thMarch), The New Economy, [Online], Available at: https://www.theneweconomy.com/strategy/breaking-the-bank-how-financial-institutions-can-embrace-disruption

Tink (2019). What a missed PSD2 deadline says about the challenge of implementation. (21stMarch), [Online], Available at: https://tink.com/blog/2019/3/20/psd2-sandbox-status.

Touchtech Payments (2019). European citizens and banks still unclear over PSD2 provisions. (8thFebruary), [Online], Available at: https://medium.com/@touchtech/european-citizens-and-banks-still-unclear-over-psd2-provisions-f62daeb4220a.

Virdi, T. (2016). PSD2: One of the biggest disruptions in banking for decades. (26thJanuary), Global Banking & Finance Review, [Online], Available at: https://www.globalbankingandfinance.com/psd2-one-of-the-biggest-disruptions-in-banking-for-decades/.

PSD2: Regulation, Strategy, and Innovation: PART II

PSD2: Regulation, Strategy, and Innovation: PART II

  

Market Research and PSD2 New Strategic Opportunities (Continued)

Nevertheless, at the same time such positive responses can also be contrasted with the responses elicited from 400 senior decision-makers in retail banks based in Australia, France, Poland, and the UK which were surveyed by US retail banking technology provider Fiserv (Touchtech Payments, 2019). The results from this survey showed that most (54%) bankers felt that they had insufficient information in order to become compliant with PSD2 and other open banking requirements by the forthcoming deadlines (Touchtech Payments, 2019). 

In addition, most of those who had already implemented some form of open banking disagreed that they had enough information to remain compliant, and only 8% believed that they had enough people and the right skill sets to comply (Touchtech Payments, 2019). Furthermore, regarding monetisation opportunities around open banking, 44% of retail bankers believed it offered monetisation opportunities while 19% believed that open banking did not (Touchtech Payments, 2019). The results of these types of surveys highlight the real and pressing need for these types of firms and individuals to obtain much more extensive and comprehensive training, not only in the forthcoming PSD2 and Open Banking regulatory frameworks, but in fully understanding the monetisation opportunities and commercial strategies open to banks, Financial Technology (FinTech) firms, Regulatory Technology (RegTech) firms, and new TPPs.

Another market survey undertaken in Sweden by the analytics software firm ‘FICO’ which was executed by ‘SIFO’, showed that few Swedes were prepared to share their banking information with a third party, and that nearly half of the respondents (46%) did not want to share information with any third party (FICO, 2018). In addition, the survey showed that there were mixed views on whether PSD2 would lead to an increase or decrease in fraud (FICO, 2018). Again, these types of findings shows how crucial it is for PSD2 firms to truly understand the markets which they wish to develop and operate in, and the problems, obstacles, and challenges they must overcome in order to successfully develop PSD2 offerings. The survey showed that only 36% of respondents knew about PSD2, with the lowest awareness among those younger people aged 16-24, where only 29% knew about it (FICO, 2018). Dylan Jones from the Nordics, FICO commented that:

“Our survey shows though that few consumers know about the directive, which suggests that it will take some time before customers are ready to give third parties the necessary access in order to be able to take advantage of the new services that will launch” (FICO, 2018).

Another survey undertaken by FICO on 500 UK consumers found similar findings (FICO, 2019). It was found that only half (53%) of UK customers would give their bank their mobile number to comply with new fraud rules, and that this number dropped to 47% for consumers aged 18-24 (FICO, 2019). Moreover, one in four respondents noted that they would complain if asked, either to the bank, on social media, or to a consumer association or newspaper (FICO, 2019). These findings also coincided with a report by UK consumer advice firm ‘Which?’, which reported that 92% of the public was unaware of the PSD2 initiative which officially launched on 13thJanuary 2018 (Dhami, 2018). It can be surmised that strategic educational marketing initiatives must form a crucial part of marketing and business development strategies in order to achieve effective PSD2 market penetration in the long term.

 

PSD2 Strategic Challenges

The PSD2 and Open Banking frameworks have brought forth a host of strategic challenges which FinTech firms, RegTech firms, and TPPs must address and successfully overcome, if they are to strategically leverage the new opportunities available under the PSD2 framework. For example, it has been identified that the absence of common standards for APIs to be used for dedicated communications interfaces is causing fragmentation in the market (Deloitte, 2018). Deloitte (2018) observes that:

“There is no EU-wide and sometimes not even national, consensus on which industry-issued standard (e.g. the Berlin Group, the UK Open Banking, PRETA, etc) to adopt; and some ASPSPs have chosen to develop bespoke APIs, either on their own or in partnership with others.

We believe that the lack of common standards will lower the level of interoperability and, at least in the short to medium term, present an obstacle to the development of PSD2-enabled services and products, particularly across borders.”

This lack of a common standards framework across UK and EU markets is said to have the effect of stalling innovation, as banks can define their own interface, resulting in diverging standards and a sub-optimal level of API capabilities generally (Dunlop, n.d.).

Another major stumbling block for firms is that consumer awareness of Open Banking products and services remains low (Deloitte, 2018). Consequently, it is envisaged that this fact, combined with the high frequency of cyber-attacks and data privacy breaches in the news, will act together to constrain take-up, interest, and trust in new PSD2 services because of a latent suspicion of new products and services based on the sharing of personal and sensitive data, especially by less known brands (Deloitte, 2018). Deloitte (2018) comments that “This suggests that a major effort by firms may be required to improve consumers’ awareness, interest, and trust in this space.”

In fact, a survey of 4,000 customers across France, Germany, Spain, and the UK undertaken by GoCardless found strong evidence to substantiate such views. The survey asked customers questions on feelings about certain specific elements of the new PSD2 SCA requirements, and also how increased security at checkout would influence their buying behaviour (GoCardless, 2019). The research had a range of interesting and relevant findings. The respondents were first asked about their previous shopping habits and many reported that they had abandoned a complex payment process in the past (France, n=33%;  Germany, n=48%; Spain, n=40%; UK, n=40%) (GoCardless, 2019).

In addition, it was found that some customers would consider shopping less at their favourite brand if they were faced with a more complex checkout process (France, n=23%; Germany, n=26%; Spain, n=24%; UK, n=23%; would shop less at their favourite brand if security measures at checkout increased) (GoCardless, 2019). It was also found that likelihood of purchase abandonment was even higher when shopping with brands that are new to the shopper, especially in markets such as Germany where 36% of respondents would cancel a purchase if a new brand had a lengthy (but still secure) payment process (GoCardless, 2019).  

 

[TO BE CONTINUED]

 

 

References

Deloitte (2018). Baby steps, but no giant leap: PSD2 at six months old. Deloitte LLP.

Dhami, I. (2018). Open Banking and PSD2: Disruption or Confusion? (31stJanuary), Security Intelligence, [Online], Available at: https://securityintelligence.com/open-banking-and-psd2-disruption-confusion/.

Dunlop, A. (n.d.). Open Banking and PSD2: A confused roadmap to innovation. PaysafeGroup.

FICO (2018). Risk & Compliance. (5thJune), [Online], Available at: https://www.fico.com/en/newsroom/swedes-confused-about-psd2-changes-to-payments.

FICO (2019). FICO Survey: UK Consumers Could Thwart Strong Customer Authentication. (31stJanuary), [Online], Available at: https://www.fico.com/en/newsroom/fico-survey-uk-consumers-could-thwart-strong-customer-authentication.

Finextra (2019a). 41% of banks missed PSD2 deadline says survey. (21stMarch), [Online], Available at: https://www.finextra.com/newsarticle/33569/41-of-banks-missed-psd2-deadline-says-survey.

Finextra (2019b). Sweden's Tink aims for pan-European coverage with €56 million in funding. (7thFebruary), [Online], Available at: https://www.finextra.com/newsarticle/33334/swedens-tink-aims-for-pan-european-coverage-with-56-million-in-funding/retail.

GoCardless (2019). Security vs. convenience in the payment experience. What matters most to online shoppers. 

Koić, M (2019). Breaking the bank: how financial institutions can embrace disruption. (5thMarch), The New Economy, [Online], Available at: https://www.theneweconomy.com/strategy/breaking-the-bank-how-financial-institutions-can-embrace-disruption

Tink (2019). What a missed PSD2 deadline says about the challenge of implementation. (21stMarch), [Online], Available at: https://tink.com/blog/2019/3/20/psd2-sandbox-status.

Touchtech Payments (2019). European citizens and banks still unclear over PSD2 provisions. (8thFebruary), [Online], Available at: https://medium.com/@touchtech/european-citizens-and-banks-still-unclear-over-psd2-provisions-f62daeb4220a.

Virdi, T. (2016). PSD2: One of the biggest disruptions in banking for decades. (26thJanuary), Global Banking & Finance Review, [Online], Available at: https://www.globalbankingandfinance.com/psd2-one-of-the-biggest-disruptions-in-banking-for-decades/.

 

PSD2: Regulation, Strategy, and Innovation: PART I

PSD2: Regulation, Strategy, and Innovation: PART I

This four part article will explore and provide analysis into how Banks, Financial Institutions, FinTech firms and RegTech firms are failing to capture strategic and commercial advantage through insight into the opportunities arising from the impact of revised Payment Services Directive (PSD2) and Strong Customer Authentication (SCA) implementation. This article will highlight how firms are failing to recognise these opportunities and are not effectively preparing themselves for the upcoming landscape, but are instead choosing to adopt a ‘wait and see’ approach.

Strong Customer Authentication

Across the European Union (EU) the original revised Payment Services Directive (PSD2) Strong Customer Authentication (SCA) final implementation date of 14th September 2019 has now been delayed by the European Banking Authority (EBA). It was previously noted that those in breach of the SCA law would have to provide a fallback mechanism (i.e. direct access) which was a costly investment on top of the dedicated interface, so Third Party Providers (TPPs) would have another way of accessing accounts and performing payment initiation services (Tink, 2019). Tink (2019) noted that:

“These penalties are severe because the banks who don’t comply are essentially inhibiting TPPs from offering aggregation and payment initiation services – and bank customers from taking advantage of these services. And because once it was decided this was the direction we were all going with PSD2 – toward better consumer protection, more innovation and more competition – we all became dependent on each other to get there.”

In the United Kingdom (UK) the financial services regulatory body, the Financial Conduct Authority (FCA), has now confirmed that they will delay full implementation until 14th March 2021 in order to allow time for businesses to create mitigation plans. In addition, the FCA in conjunction with UK Finance, has developed a rollout plan with staged compliance points ranging from 14th September 2019 to 14th March 2021. The extended grace period of 18 months is only applicable to any payments that are taken from within the UK, which means that if UK businesses collect cross-border payments from other countries within the European Economic Area (EEA), the SCA rules applicable to those particular EEA countries will apply.

Although for many businesses, this extended grace period will provide some much-needed breathing space, the envisaged harmonised and streamlined implementation of the PSD2 framework across the EU is now no longer in the works. Indeed, even as far back as March 2019 statistics from a survey of 442 European banks carried out by Swedish open banking platform ‘Tink’, highlighted that close to half of banks (41%) surveyed, had failed to meet the PSD2 deadline for the provision of a testing environment (i.e. sandbox) for TPPs (Finextra, 2019a).

The survey had covered 10 markets across the EU, and whilst countries such as Belgium, Finland, Germany, and Sweden all had high compliance rates above 80%, other countries such as Denmark, France, Norway, and Spain all featured lower compliance rates below 50% (Finextra, 2019a). Other countries such as the Netherlands (67%) and the UK (64%) featured compliance rates in between these two extremes. 

Market Research and PSD2 New Strategic Opportunities

The widespread failures to meet such implementation deadlines highlighted, not only the sizeable burden being placed on banks to meet such tight technological implementation deadlines, but also the potential subsequent disruption to various open banking platforms and services that had been caused owing to the missed deadlines (Finextra, 2019a). In practice this has precipitated a strategic free-for-all for banks and new TPPs as the new pan-European PSD2 payments market is now up for grabs. Those banks and new TPPs that have been able to meet technological deadlines, and are eager to implement advanced PSD2 strategic initiatives in order to capitalise on first mover advantages, are leading the PSD2 pack. 

In fact, Swedish Personal Finance Management (PFM) platform Tink completed a €56 million investment round in February 2019 as it prepared to roll out its business out to five new European markets (Austria, Belgium, Germany, Spain, the UK) in order to take advantage of new Open Banking rules (Finextra, 2019b). In practice, Tink is aggressively expanding its growth, and is not only set to double its European staff to 300 full-time employees by opening four new offices, but it is also set to expand its European connectivity across 20 European markets by the end of 2019 (Finextra, 2019b).

Market research has also identified the huge need for PSD2 firms to implement highly comprehensive and well-researched strategic plans, in order to capitalise on PSD2 framework developments across the EU in a timely manner. For example, a new study by ING was carried out among 1,500 Dutch citizens as part of its half-yearly Digital Monitor (Touchtech Payments, 2019). At the time the study showed that the EU’s PSD2 framework was still unknown to 82% of the Dutch population (Touthtech Payments, 2019). Before the respondents were informed of PSD2, 67% held a “negative” or “very negative” perception. This demonstrated that PSD2 firms need to think far, far beyond technological developments, and in addition need to concentrate on longer term adaptation and educational strategies for new customers in potential new markets. 

Indeed, much more than that, such operational strategies need to be specifically researched and segmented, not only for individual EU countries, but also for demographic segments across those individual EU countries. For example, it was noted that:

“…after respondents were explained what PSD2 is, almost half (46%) said they would be glad to avail of the new payment services that will be made possible by the directive. The number of respondents under the age of 34 who plan to use the services unlocked by PSD2 was nearly 40% higher than for the population overall” (Touchtech Payments, 2019).

This type of finding would suggest that PSD2 firm strategies in the Netherlands should focus on a segmentation approach whereby a specific target population (i.e. 18 > AGE < 34) would form the primary target which needs, not only to be continually educated and prepared on PSD2 developments, but also potentially ‘acclimatised’ to future PSD2 initiatives, offerings, and services to be offered by specific PSD2 firms. 

In addition, it was found that once PSD2 had been explained to the respondents, many of the respondents responded positively to the envisaged changes, with many respondents showing enthusiasm for a number of new proposed services, such as: (1) consolidated payment accounts (29%); (2) viewing all balances in one place (28%); (3) using savings applications (Apps) (26%); (4) using household Apps for payments and credit cards (25%); and (5) making online purchases without credit cards (21%) (Touchtech Payments, 2019). This kind of research highlights the significant benefits to be gained from PSD2 strategic initiatives that are grounded in jurisdictional and demographic research, as specific offerings by PSD2 firms can be specifically tailored to efficiently align with the anticipated demand that has been deduced from PSD2 field research.

 

[TO BE CONTINUED]

References

 

Deloitte (2018). Baby steps, but no giant leap: PSD2 at six months old. Deloitte LLP.

Dhami, I. (2018). Open Banking and PSD2: Disruption or Confusion? (31stJanuary), Security Intelligence, [Online], Available at: https://securityintelligence.com/open-banking-and-psd2-disruption-confusion/.

Dunlop, A. (n.d.). Open Banking and PSD2: A confused roadmap to innovation. PaysafeGroup.

FICO (2018). Risk & Compliance.  (5thJune), [Online], Available at: https://www.fico.com/en/newsroom/swedes-confused-about-psd2-changes-to-payments.

FICO (2019). FICO Survey: UK Consumers Could Thwart Strong Customer Authentication. (31stJanuary), [Online], Available at: https://www.fico.com/en/newsroom/fico-survey-uk-consumers-could-thwart-strong-customer-authentication.

Finextra (2019a). 41% of banks missed PSD2 deadline says survey. (21stMarch), [Online], Available at: https://www.finextra.com/newsarticle/33569/41-of-banks-missed-psd2-deadline-says-survey.

Finextra (2019b). Sweden's Tink aims for pan-European coverage with €56 million in funding. (7thFebruary), [Online], Available at: https://www.finextra.com/newsarticle/33334/swedens-tink-aims-for-pan-european-coverage-with-56-million-in-funding/retail.

GoCardless (2019). Security vs. convenience in the payment experience. What matters most to online shoppers. 

Koić, M (2019). Breaking the bank: how financial institutions can embrace disruption. (5thMarch), The New Economy, [Online], Available at: https://www.theneweconomy.com/strategy/breaking-the-bank-how-financial-institutions-can-embrace-disruption

Tink (2019). What a missed PSD2 deadline says about the challenge of implementation. (21stMarch), [Online], Available at: https://tink.com/blog/2019/3/20/psd2-sandbox-status.

Touchtech Payments (2019). European citizens and banks still unclear over PSD2 provisions. (8thFebruary), [Online], Available at: https://medium.com/@touchtech/european-citizens-and-banks-still-unclear-over-psd2-provisions-f62daeb4220a.

Virdi, T. (2016). PSD2: One of the biggest disruptions in banking for decades. (26thJanuary), Global Banking & Finance Review, [Online], Available at: https://www.globalbankingandfinance.com/psd2-one-of-the-biggest-disruptions-in-banking-for-decades/.

Central Counterparty (CCP): Options Clearing Corporation $20 Million Fine: A Critique by Storm-7 Consulting - PART IV (SEC ORDER)

Introduction

This four-part blog will provide an analysis of the $20 million fine imposed on The Options Clearing Corporation, and a critique of the Orders imposed by the United States Securities and Exchange Commission and the United States Commodity Futures Trading Commission. The first two parts of the blog will cover the Order made by the Commodity Futures Trading Commission which imposed a $5 million fine, and the second two parts of the blog will cover the order made by the Securities and Exchange Commission which imposed a $15 million fine.

About Options Clearing Corporation

“Founded in 1973, OCC is the largest clearing organization in the world for equity derivatives. Operating under the jurisdiction of the U.S. Securities and Exchange Commission (SEC) and the U.S. Commodity Futures Trading Commission (CFTC), OCC issues and clears U.S.-listed options and futures on a number of underlying financial assets including common stocks and stock indexes. OCC’s clearing membership consists of approximately 100 of the largest U.S. broker-dealers, U.S. futures commission merchants and non-U.S. securities firms representing both professional traders and public customers. The stockholder exchanges share equal ownership of OCC. This ownership, along with a significant clearing member and public director presence on the Board of Directors, ensures a continuing commitment to servicing the needs of OCC’s participant exchanges, clearing members and their customers. OCC provides clearing services for options, financial and commodity futures, security futures, securities lending transactions and over-the-counter index options.”

Background

On 4th September 2019 the United States (US) Securities and Exchange Commission (SEC or the Commission) and the US Commodity Futures Trading Commission (CFTC) announced that The Options Clearing Corporation (OCC) would be undertaking remedial efforts and had agreed to pay $20 million in penalties in lieu of settlement of charges that it failed to implement policies to manage certain risks as required by US laws and SEC and CFTC rules.

Proceedings Before the SEC

The SEC Order noted that because OCC was the sole registered clearing agency for exchange listed option contracts in the US, it had been designated as a ‘Systemically Important Financial Market Utility’ (SIFMU).  The SEC Order further observed that:

“OCC serves as sole registered clearing agency for exchange listed option contracts in the United States… Disruption to OCC’s operations, or failure by OCC to manage risk, could result in significant costs not only to OCC itself and its members, but also to other market participants or the broader U.S. financial system.

As a registered clearing agency, OCC is a self-regulatory organization (SRO) under the Exchange Act. Self-regulatory organizations are charged with an important public trust to carry out their self-regulatory responsibilities effectively and fairly, while fostering free and open markets, protecting investors, and promoting the public trust.”

Material Representations by OCC

In it’s 2017 Annual Report entitled “Innovate, Educate, Advocate” (as of 31st December 2017), OCC expressly stated in Note 17. Contingencies, at page 47:

“In the normal course of business, OCC may be subject to various lawsuits and claims. In addition, as a regulated entity, OCC is subject to examinations by the SEC and CFTC. From time to time, such examinations result in regulatory findings or other matters, the resolution of which could in the future include remediation or fines. At December 31, 2017, there was no outstanding litigation or regulatory matters that would have a material adverse effect on the financial statements.”

In its 2018 Annual Report entitled “Clear the Path” (as of 31st December 2018), OCC expressly stated in Note 17. Contingencies, at page 46:

“In the normal course of business, OCC may be subject to various lawsuits, claims, and other legal proceedings. In addition, as a regulated entity, OCC is subject to examination by the SEC and CFTC. In connection with these regulatory and legal matters, OCC has accrued $15 million as of December 31, 2018. Actual settlement amounts may exceed amounts accrued and such amounts could be material.”

Rule 17Ad-22(e) under the Exchange Act

Rule 17Ad-22(e) sought to establish standards for registered clearing agencies that met the definition of “covered clearing agency” (CCA), and was first proposed in March 2014. The Commission adopted it in October 2016, and since OCC was a CCA for the purposes of the rule, it was required to comply by 11th April 2017. The rule was adopted in order to impose consistent, higher minimum risk management standards across all CCAs, and also in order to mitigate the potential for any moral hazard associated with risk management at a CCA.

OCC’s Failure to Comply

Despite the fact that the Commission staff had notified OCC of material weaknesses with its policies and procedures that could result in violations of Rule 17Ad-22(e) and Reg. SCI , if they were not corrected before the required compliance dates, OCC failed to comply with these rules by the required compliance dates.

The Commission alleged that OCC had failed to establish, implement, maintain and enforce policies and procedures reasonably designed to:

(1) review its risk-based margin models and the parameters for those models on a monthly basis;

(2) consider and produce margin levels commensurate with the risks and particular attributes of each relevant product cleared by OCC;

(3) effectively measure, monitor, and manage its credit exposure and liquidity risk;

(4) maintain a comprehensive risk management framework;

(5) protect the security of certain of its information systems; and 

(6) provide for a well-founded, clear, transparent and enforceable legal framework for every aspect of its activities.

In addition, it was alleged that OCC had also failed to comply with Section 19(b) of the Exchange Act and Rule 19b-4(c), by adopting and changing certain policies prior to obtaining Commission approval. 

OCC was legally required to comply with Reg. SCI by 2rd November 2015.

OCC was legally required to comply with Rule 17Ad-22(e) by 11th April 2017.

Prior to, and throughout this period, the firm’s legal counsel was under a duty to the OCC to inform and update the management of OCC and/or the Board about its legal responsibilities and duties as required by US laws and SEC and CFTC rules. Any good US law student with a basic understanding of US laws and SEC and CFTC rules would have been able to clearly identify such legal obligations. 

A legal counsel working for the largest clearing organization in the world for equity derivatives would have known about these requirements without fail. Consequently, there seems to be questions that ostensibly the SEC and the CFTC have not dealt with in their respective Orders. 

If the 2nd November 2015 deadline had passed, then OCC’s legal counsel should have known that OCC was not legally compliant with the requirements mandated by Reg. SCI.

If the 11th April 2017 deadline had passed, then OCC’s legal counsel should have known that OCC was not legally compliant with the requirements mandated by Rule 17Ad-22(e).

Assuming this is the case, and it was prima facie alleged by the SEC that the OCC was in breach of these legal requirements, and that such breaches warranted investigation by the SEC and/or would potentially be subject to civil fines and negative reputational damage.

How can it be that in its 2017 Annual Report the OCC was able to unequivocally say:

“At December 31, 2017, there was no outstanding litigation or regulatory matters that would have a material adverse effect on the financial statements.”

Could such a statement amount to a misrepresentation to existing and/or potential shareholders who were relying on the OCC to inform them about any matters that could negatively impact OCC’s share price? 

Indeed, the question to be asked is could this be legally interpreted in any way as to be misinforming the public vis-à-vis the financial affairs and/or share price of the OCC via the OCC’s 2017 Annual Report? 

OCC Failures

The SEC Order found that OCC had failed to establish, implement, maintain, and enforce policies and procedures reasonably designed to:

(1) REVIEW ITS RISK-BASED MARGIN MODELS AND THE PARAMETERS FOR THOSE MODELS ON A MONTHLY BASIS;

Exchange Act Rule (EAR) 17Ad-22(b)(2) mandates that a Registered Clearing Agency (RCA) establish, implement, maintain, and enforce written policies and procedures reasonably designed to use risk-based models and parameters to set margin requirements and review such margin requirements and the related risk-based models and parameters at least monthly.

Although OCC was required to comply with this rule by 2nd January 2013, by April 2017, MORE THAN 3 YEARS LATER, OCC had still not complied with this legal requirement.

The Commission had noted that “[m]arket conditions and risks are constantly changing and therefore the models and parameters used by a clearing agency providing [central counterparty] services to set margin may not accurately reflect the needs of a clearing agency if they are permitted to remain static.”

In practice it is crucial for CCPs to ensure that their risk-based margin models are continuously accurate, and that they are reviewed and updated regularly to take into account socioeconomic indicators and trends; political moderating factors; geographical moderating factors; global, regional, and national trends; and other moderating or influencing factors. 

For example, a hurricane in the Caribbean could significantly affect commodity exports from those islands affected in the Caribbean. This in turn could then impact commodity prices of related exchange traded products. If risk-based margin models remain static in a month, then, for example, the same August 2019 margin amounts might be called for September 2019 oil derivatives, even though they may no longer be equivalent, in terms of underlying risk, as August 2019 oil derivatives. 

Moreover, such risk-based margin models also need to be calibrated to take into account financial stress indicators. For example, Monin (2019)  defines financial stress as disruptions in the typical functioning of financial markets. It is further noted that symptoms of financial stress can be informed by both theory and practice, and in practice may include uncertainty about the fundamental value of financial assets or the behaviour of investors; increased asymmetric information; and a decreased willingness to hold risky or illiquid assets (Monin, 2019). Examples of the Office of Financial Research (OFR) Financial Stress Index (FSI) category definitions include: (1) credit; (2) equity valuation; (3) funding; (4) safe assets; and (5) volatility (Monin, 2019).

The more accurately these risk-based models and parameters are calibrated and regularly reviewed, the more likely it is that a RCA will be effectively fulfilling its role and maintaining balanced market conditions. In the case of the OCC, owing to its status as a SIFMU it was a fortiori required to ensure that its risk-based margin models were calibrated as accurately as possible, and regularly reviewed to ensure such accuracy because of the potentially significant risks and costs to other market participants and to the broader US financial system.

(2) CONSIDER AND PRODUCE MARGIN LEVELS COMMENSURATE WITH THE RISKS AND PARTCULAR ATTRIBUTES OF EACH RELEVANT PRODUCT CLEARED BY OCC;

EAR 17Ad-22(e)(6)(i) mandates that a CCA establish, implement, maintain, and enforce policies and procedures that are reasonably designed to cover its credit exposures to its participants by establishing a risk-based margin system that inter alia considers, and produces margin levels commensurate with, the risk and particular attributes of each relevant product, portfolio, and market.

Although OCC was required to comply with this rule by 11th April 2017, at the time of the SEC Order it had still not complied with this legal requirement. The SEC Order stated:

“Specifically, OCC’s margin model fails to consider the impact of market liquidation costs, including bid-ask spreads and other transaction-based costs, as well as the potential market impact of liquidation activity. 

OCC’s margin model also fails to consider specific wrong way risk associated with cleared securities which are related to clearing members.

Specific wrong-way risk arises at a [central counterparty] when an exposure to a participant is highly likely to increase when the creditworthiness of that participant is deteriorating.”

The failure of OCC’s margin model to consider the impact of market liquidation costs, bid-ask spreads, other transaction-based costs, and the potential market impact of liquidation activity has been considered and discussed in PART I of this Blog series.

As regards the failure of OCC’s margin model to consider specific wrong way risk (WWR), this issue will be discussed here in further depth.

WWR refers to unfavourable dependencies (e.g. between the value of margin held and creditworthiness of clearing members). So, for example, margin held by a CCP should not be wrong-way, e.g. correlated to the default of the counterparty in that a counterparty posts their own bonds or equity) (Gregory, 2014).  

It is important to differentiate between two distinct types of WWR, which can apply to exposure or margin-related linkages, these are: (1) General WWR; and (2) Specific WWR (Gregory, 2014). General WWR refers to linkages arising from macroeconomic relationships (e.g. interest rates being correlated to credit spreads), whereas Specific WWR arises from specific factors affecting a counterparty (e.g. a ratings downgrade by ratings agency Moody’s) (Gregory, 2014).

According to Eurex Clearing, “Wrong-way risk is defined as the potential loss which Eurex Clearing may suffer during the Default Management Process, due to an unfavorable interrelatedness between the counterparty’s creditworthiness, the value of its collateral pool and the value of its portfolio.” 

If OCC’s margin models had failed to consider specific WWR associated with cleared securities related to clearing members, then this presented a highly significant potential problem for the OCC in terms of accurately identifying the real extent of counterparty risk which the OCC had calculated. This is because if the OCC’s margin models had calculated counterparty risk, but had failed to account for potential specific WWR relevant to specific clearing members in such models, then the OCC was potentially exposed to an unknown quantity of specific WWR for each clearing member, and cumulatively, this could amount to a very large unknown quantity of specific WWR that could materialise in the event of one or more counterparty defaults.

An example of WWR pertinent to put options is set out below for illustrative purposes:

“If a put option for corporate stock correlates highly with counterparty default probability, when the underlying share price declines, the value of the put option (in this case the exposure) increases at the same time that the probability of counterparty default increases. As a result, this wrong-way risk causes a sharp increase in overall risk” (Inamura et al., 2012).  

Eurex Clearing identifies its approach to WWR and the actions it takes with regards to WWR:

“To safeguard the overall integrity of the Clearing House and to protect the mutualizing Default Fund, we conduct an internal credit assessment of all counterparties and perform continuous monitoring of credit, concentration and wrong-way risks. This enables us to guarantee fulfilment of all obligations towards counterparties even under extreme market conditions.

The first step in which we avoid wrong-way risk is that we do not allow counterparties to deposit own issues (or issues of closely linked entities) as collateral. Moreover, counterparties are not entitled to use such instruments as collateral for repo transaction or securities lending transactions.

In case Clearing Members enter into positions, where they are exposed to the performance of their own stock (e.g. derivatives on their own stock) or other instruments issued by themselves or entities belonging to the same legal group, these positions are collateralized based on the assumption that the underlying becomes worthless in a default scenario. 

Resources which have already been provided to secure these positions (i.e. dedicated Total Margin Requirement on single position level as well as derived Default Fund contributions) are deducted before the final Supplementary Margin for the own issue positions is calculated. 

A daily monitoring process ensures a tight control of any own issue position. For a more efficient collateral management process on the Clearing Member side, the Supplementary Margins are charged weekly based on the largest excess (i.e. Loss given default minus already provided resources) over the previous week.

By defining dedicated wrong-way risk limits, we are taking additional steps to minimize such risk. These limits are applicable to a counterparty’s collateral pool and the counterparty’s notional exposure.”

The sheer size and negative impact of WWR was clearly and unequivocally demonstrated in the previous sub-prime crisis. Consequently, given the clear and significant problems that were demonstrated by unanticipated effects of WWR during the sub-prime crisis, it was the OCC’s duty to ensure that its margin models identified and incorporated potential WWR and thereby mitigated its effects across its clearing members in order to ensure it operated a robust CCP clearing system.

(3) COVER ITS CREDIT EXPOSURE;

EAR 17Ad-22(e)(4)(iii) mandates that a CCA (that is not subject to EAR 17Ad-22(e)(4)(ii)) must establish, implement, maintain, and enforce written policies and procedures that are reasonably designed to maintain additional financial resources at a minimum to enable it to cover a wide range of foreseeable stress scenarios.

EARs 17Ad-22(e)(4)(vi)(A)-(D) mandate that a CCA establish, implement, maintain, and enforce written policies and procedures that are reasonably designed to test the sufficiency of its total financial resources available to meet the minimum requirements  by:

(1) stress testing its total financial resources once each day using standard predetermined parameters and assumptions;

(2) comprehensively analyzing its stress scenarios, model and underlying parameters and assumptions on at least a monthly basis;

(3) comprehensively analysing its stress testing scenarios, models, parameters, and assumptions more frequently than monthly during periods of stress and/or volatility; and 

(4) reporting the results of its stress testing analyses to appropriate decision makers.

Although OCC was required to comply with these rules by 11th April 2017, through at least 4th September 2018 it had still failed to comply with these legal requirements.

It was noted that instead of complying with these requirements, OCC had implemented policies and procedures that determined the monthly sizing of its clearing fund based on a daily calculation of its stress testing exposures utilizing only A LIMITED NUMBER OF SCENARIOS.

The failure of the OCC to cover its credit exposure through stress testing was dealt with in PART I of this Blog. However, some commentary will be made here regarding the OCC’s use of only a limited number of scenarios vis-à-vis its legal stress testing obligations. The main difficulty with utilizing only a limited number of scenarios is that this makes it highly likely that the monthly sizing of its clearing fund does not in actuality reflect the realities of the underlying markets in which the OCC operates. This is highly problematic in practice, because it means that the OCC is potentially not actually fulfilling its role, not only as a CCP, but also as a SIFMU, because it is not robustly addressing all the stress scenarios to which it might be exposed in time of normal markets, and also to which it might be potentially exposed, in times when the markets are subject to financial stress.

In practice, stress scenarios need to be created for each asset class that is in use by the OCC, as well as shifting relevant risk factors in particular markets in order to account for the relevant assumed period of risk, i.e. stress period of risk will differ depending on the underlying asset class and the relevant risk factors that have been shifted.

Stress scenarios then need to be calibrated according to extreme but plausible scenarios, and then those scenarios are broken down into:
(1) historical scenarios (i.e. extreme and well-known events, such as the Lehman Default and the Global Financial Crisis (2008) the Cyprus Financial Crisis (2013); and the Brexit Referendum (2016)); 

(2) hypothetical scenarios (i.e. forward-looking scenarios simulating extreme risk factor movements for all cleared asset classes and products simultaneously by combining selected constellations of up and down moves across asset classes) ;

(3) correlation stress scenarios (i.e. special hypothetical scenarios that additionally stress the correlations between single risk factors);

(4) global scenarios (i.e. condensing information from a large number of asset class-specific forward-looking hypothetical scenarios to a smaller number of concise scenarios) (Eurex Clearing, 2019).

As can be seen, if these stress scenarios need to be calculated for multiple asset classes under different market conditions, then calculating stress testing exposures on a daily basis utilizing only a limited number of scenarios would seem to fall very short of the requirements needed to ensure accuracy of financial resources required on a month-to-month basis.

(4) MAINTAIN SUFFICIENT LIQUID RESOURCES

EAR 17Ad-22(e)(7)(i) mandates that a CCA establish, implement, maintain, and enforce written policies and procedures reasonably designed to maintain sufficient liquid resources, at the minimum, in all relevant currencies in order to effect same-day, and where appropriate, intraday and multiday, settlement of payment obligations with a high degree of confidence under a wide range of foreseeable stress scenarios.

EAR 17Ad-22(e)(7)(vi)(A)-(D) mandate that a CCA establish, implement, maintain, and enforce written policies and procedures that are reasonably designed to determine the amount, and regularly test the sufficiency, of the liquid resources held for the purposes of meeting the minimum liquid resource requirement , by, at a minimum:

(1) stress testing its liquidity resources once each day using standard predetermined parameters and assumptions;

(2) comprehensively analyzing its stress testing scenarios, models, and underlying parameters and assumptions on at least a monthly basis;

(3) comprehensively analysing its stress testing scenarios, models, parameters, and assumptions more frequently than monthly during periods of stress and/or volatility; and 

(4) reporting the results of its stress testing analyses to appropriate decision makers.

The OCC was required to comply with EAR 17Ad-22(e)(7)(i) and 17AD-22(e)(7)(vi)(A)-(D) by 11th April 2017, however as of the date of the SEC Order, it had still failed to fulfil its legal requirements.

The SEC Order noted that OCC had instead implemented policies and procedures which determined the size of its liquid resources using SCALED NORMAL MARKET CONDITIONS.

By using SCALED NORMAL MARKET CONDITIONS the OCC would have been implementing liquid resources that were very likely to be below that actually required for day-to-day operations. By failing to include extreme but plausible market conditions, the OCC was ensuring that the parameters of liquidity resources were limited to expected normal market conditions. Consequently, it was highly likely that not only were the liquidity resources required on a day-to-day basis much lower than that which might otherwise be required using parameters that included extreme but plausible market conditions, but moreover it could not be said that it was maintaining sufficiency of liquid resources with a high degree of confidence under a wide range of foreseeable stress scenarios.

The OCC had failed to stress test its total liquid resources using a wide range of foreseeable stress scenarios once each day; 

Again, if the OCC had actually been stress testing its required liquid resources utilising a wide range of foreseeable stress scenarios each day, then the likelihood is that in all probability it would have been calculating higher minimum liquidity resources required, than that which it was actually calculating. By excluding foreseeable stress scenarios that might be encountered during extreme but plausible market conditions, it was in actuality very likely minimising the minimum liquidity resources calculated, i.e. these may very likely not reflected its ACTUAL MINIMUM LIQUIDITY RESOURCES required utilising both normal and stressed market conditions.

The OCC had failed to analyze its stress testing scenarios, models parameters, and assumptions at least monthly;

By failing to analyse its stress testing scenarios, models parameters and assumptions, at least monthly, it was failing to operate a robust and accurate risk management framework. This is particularly troubling given that the fundamental role of a CCP is to manage risk on a daily basis using the most accurate and granular data and information available. The fact that it was alleged that OCC was failing to scrutinise its stress testing scenarios on a regular basis meant that in actuality it fell far below “normal” CCP operational practices, for example, as compared with the operational practices of other well established CCPs operating in the European Union.

The OCC had failed to analyse its stress testing scenarios, models, parameters, and assumptions more frequently than monthly during periods of stress and/or volatility;

OCC’s failure to analyse its stress testing scenarios, models, parameters, and assumptions more frequently than monthly during periods of stress and/or volatility, again is, when benchmarked against the practices of other well established CCPs, a complete and utter failure on the part of the OCC. In fact if we were to solicit comments from other well established CCPs about OCC’s failure to undertake this in practice, it is almost certain that all such CCPs would be highly critical about the negative repercussions that such operational practices would raise in terms of effective risk management practices.

The OCC had failed to report the results of its stress testing analyses to appropriate decision makers;

This failure to report the results of stress testing analyses to appropriate decision makers can in no way be seen as a ‘minor fault’, or something that was ‘overlooked’. Viewed from a legal perspective, this is nothing less than operational negligence on the part of OCC and/or its employees undertaken on a vicarious liability basis. Such negligence is made all the worse given its fundamental role as a SIFMU within the US.

The OCC had failed to include all known sources of possible liquidity obligations in determining the liquidity required in the event of a clearing member default (such as certain possible liquidity, payment, and delivery obligations relating to default auctions);

In practice this failure translated to the OCC having significantly miscalculated possible liquidity obligations required relating to potential clearing member defaults. In practice, the fact that it had failed to calculate such factors meant that it was operating at operational levels far, far below that of many other well established CCPs operating around the world, a fact which is all the more shocking given its fundamental role as a SIFMU in the US.

(5) MAINTAIN A COMPREHENSIVE RISK MANAGEMENT FRAMEWORK

EAR 17Ad-22(e)(3) mandates that a CCA establish, implement, maintain, and enforce written policies and procedures that are reasonably designed to maintain a sound risk management framework to comprehensively manage legal, credit, liquidity, operational, general business, investment, custody, and other risks that arise in, or are borne by, the CCA.

EAR 17Ad-22(e)(3)(i) mandates that a CCA’s risk management framework include risk management policies, procedures, and systems that are designed to identify, measure, monitor, and manage the range of risks that arise in, or are borne by, the CCA, and that are subject to review on a specified periodic basis and approved by the board of directors annually.

OCC was required to comply with the latter requirement by 11th April 2017, however at the time of the SEC Order it had failed to implement such policies designed to manage credit and liquidity risks.

OCC lacked policies and procedures which provided for comprehensive stress testing of its financial and liquid resources under a wide range of foreseeable stress scenarios.

OCC failed to implement policies and procedures reasonably designed to manage the operational risk that arises in, or is borne by OCC, and specifically they were not reasonably designed to ensure that its SCI systems and, with respect to security standards, indirect SCI systems had adequate levels of capacity, integrity, resiliency, availability, and security.

OCC’s policies and procedures were also not reasonably designed to provide for a well-founded, clear, transparent, and enforceable legal basis for each aspect of its activities in all relevant jurisdictions, because OCC failed to file proposed rules before adopting certain policies and implemented certain policies prior to approval of the Commission.

It has become patently clear that the OCC’s overall risk management processes and procedures were very far from robust, resilient and secure. Its overall approach to its risk management procedures, its stress testing procedures, its margin methodology procedures, and its security procedures, demonstrate a fundamental disregard to the most basic tenets of a CCP’s operational procedures and mandates. 

A CCP is, by design, intended to minimise, mitigate, and deal with risk, and yet all of the evidence offered by the CFTC and SEC Orders cumulatively demonstrate an across-the-board total lapse in operational, technological, and strategic oversight by the OCC. The accumulated failures identified throughout the CFTC and SEC judgments highlight, not highly operationally advanced and complex requirements, but failures in the most basic risk management frameworks for CCP operations. 

This is all the more severe taking into account the OCC’s long-established history, its decades of operational experience, its positioning as the largest clearing organization in the world for equity derivatives, and its statute and responsibilities as a SIFMU. Taking into account the fact that in 2018 a single default by a clearing member caused a $133 million hole in Nasdaq’s clearing house buffers, one can imagine the potential damage that might have been caused by a default by one or more of the OCC’s clearing members, which could in turn have potentially caused unquantifiable systemic risk, owing to the huge defects in the OCC’s risk management framework.  

Given the fact that in 2017 OCC’s total revenues were $359,619,000, and in 2018 OCC’s total revenues were $467,838,000, it is highly questionable whether a $20 million fine was sufficient to reflect the highly poor operational practices and risk management framework that was put in place by OCC, not only for a short period of time, but in most cases for years and years.

(6) PROTECT THE SECURITY OF CERTAIN OCC INFORMATION SYSTEMS
Rule 1001(a)(1) of Reg. SCI mandates that an SCI entity (e.g. RCA) establish, maintain, and enforce written policies and procedures that are reasonably designed to ensure that its SCI systems , and with respect to security standards, indirect SCI systems , have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI’s entity operational capability and promote the maintenance of fair and orderly markets.

Such policies and procedures must include, at a minimum, regular reviews and testing (as applicable), of such systems (including backup systems), to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters.

OCC was required to implement such legal requirements by 3rd November 2015. As of the date of the SEC Order, OCC had still failed to establish such policies and procedures that were reasonably designed to ensure that its SCI systems and, with respect to security standards, indirect systems, had adequate levels of capacity, integrity, resiliency, availability, and security.

As of 3rd November 2015, OCC had still failed to establish, maintain, and enforce written policies and procedures that were reasonably designed to:

(1) consistently identify, prioritize, test, and implement vendor-issued patches;

(2) secure certain data within cloud environments;

(3) ensure that all network devices, including unused and test network devices, were inventoried; and 

(4) ensure security threats would be promptly detected.

The failures highlighted by these alleged infractions demonstrate the incompetence of any, or all, of: (1) OCC’s information technology (IT) department; (2) OCC’s management hierarchy, structure, and reporting lines; and (3) OCC’s legal department.

Given that the OCC is the largest clearing organization in the world for equity derivatives, it is submitted that such failures reflect failures in basic operational procedures, and as such either reflect:

(1) highly lax administrative management and oversight of legal requirements by any, or all of, the above three named departments; or 

(2) worse still, intentional choices made to delay implementation of remedial measures either owing to the costs involved, the low prioritisation of such requirements, or a combination of both.

AND 

(7) THE OCC FAILED TO OBTAIN COMMISSION APPROVAL FOR PROPOSED RULE CHANGES

Section 19(b)(1) of the Exchange Act requires SROs (e.g. RCAs) to file with the Commission a proposed rule change  accompanied by a concise general statement of the basis and purpose of such proposed rule change.

Section 19(b)(1) requires the Commission to publish notice of the proposed rule change and provide interested persons an opportunity to submit written comments.

Section 19(b)(1) prohibits a proposed rule change from taking effect unless it is approved by the Commission, or otherwise permitted under Section 19(b)(1).

OCC failed to file with the Commission proposed rule changes before adopting a number of policies, e.g. by December 2015 OCC had implemented at least 18 policies covering core risk management issues without filing proposed rule changes with the Commission. These covered the following policies:

(1) legal risk policy; (2) model risk management policy; (3) financial resources policy; (4) risk appetite framework; (5) enterprise risk management framework; (6) risk universe; (7) operational risk management; (8) clearing fund policy; (9) margin policy; (10) credit risk management policy; (11) liquidity risk management policy; (12) systems incident escalation policy; (13) default management policy; (14) collateral risk management policy; (15) business continuity planning policy; (16) information technology risk management policy; (17) vendor risk management policy; and (18) capital requirements policy.

OCC had also implemented other policies without obtaining prior Commission approval, e.g. in May 2017 OCC implemented revisions to its:

(1) counterparty credit risk management policy; (2) default management policy; (3) margin policy; (4) risk management framework policy; (5) collateral risk management policy; and (6) revised charter for OCC’s Board of Directors as well as charters for the Board’s Audit Committee, Risk Committee, Compensation and Payment Committee, Governance and Nominating Committee, Risk Committee, and Technology Committee.

The failure to obtain Commission approval for proposed rule changes in practice amounts to breach of the most basic administrative rules pertinent to SEC oversight. The fact that OCC allegedly overlooked dozens of amendments and proposed rule changes highlights the highly lax administrative and legal oversight put in place by the OCC, as well as the failure of OCC’s legal counsel to provide the most basic legal support to the OCC.

Not only that, but it also flies in the face of public oversight of the OCC’s operations. Section 19(b)(1) was put in place for a particular purpose, and that was to ensure governmental and public accountability on the part of the OCC. If OCC was not providing proposed rule changes to the SEC, at best, it had in place extremely bad operational and administrative practices, at worst, it was intentionally placing itself beyond the supervisory practices of the SEC. However, there is more than simply accountability inherent in Section 19(b)(1). It also incorporates elements of public debate and discussion. 

The fact that Section 19(b)(1) requires the SEC to provide interested persons with an opportunity to submit written comments, means that the public at large are able to provide commentary, feedback, and opinions on the practices of a SIFMU that in actuality could significantly affect their lives or of their firm’s operations. By failing to submit proposed rule changes, and by circumventing the legal requirements of Section 19(b)(1), the OCC allegedly deprived interested parties of their legal right and opportunity to comment on the working of a public systemically important institution.

[TO BE CONTINUED]

ENDNOTES

(1) Under Title VIII of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank Act).

(2) Regulation Systems, Compliance, and Integrity under the Exchange Act (Reg SCI) was adopted by the Commission in November 2014 in order to strengthen the technology infrastructure of US securities markets, and also in order to reduce the occurrence of systems issues, improve resiliency when systems problems occurred, and enhanced the Commission’s oversight and enforcement of technology infrastructure of securities markets. OCC had until 3rd November 2015 to comply.

(3) It was therefore alleged that owing to its conduct, OCC had violated Section 17A(d)(1) of the Exchange Act and Rules 17Ad-22(b)(2), 17Ad-22(d)(1), 17Ad-22(e)(1), 17Ad-22(e)(3)(i), 17Ad-22(e)(4)(iii) and (vi), 17Ad-22(e)(6)(i), and 17Ad-22(e)(7)(i) and (vi) thereunder; ;Rules 1001(a)(1) and (2) of Reg. SCI under the Exchange Act; and Section 19(b) of the Exchange Act and Rule 19b-4 thereunder.

(4) Violation of Exchange Act Rule 17Ad-22(b)(2).

(5) Monin, P.J. (2019). The OFR Financial Stress Index. Risks, 7, 25; doi:10.3390/ risks7010025.

(6) Gregory, J. (2014). Central Counterparties. Mandatory Clearing and Bilateral Margin Requirements for OTC Derivatives. John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex.

(7) Inamura, K.; Hattori, A.; Fukuda, Y.; Sugihara, Y.; Teranishi, Y. (2012). Wrong-way risk in OTC derivatives and its implication for Japan’s financial institutions.’ Bank of Japan Review, (June), pp.1-6.

(8) As stipulated in EAR 17Ad-22(e)(4)(i) through (iii).

(9) Eurex Clearing (2019). Stress scenarios and exposure aggregation.

(10) Under Exchange Act Rule 17Ad-22(e)(7)(i).

(11) SCI systems is defined to mean “all computer, network, electronic, technical, automated or similar systems operated by or on behalf of [the entity] that, with respect to securities, directly support trading, clearance and settlement, order routing, market data, market regulation, or market surveillance” (Rule 1000 of Reg. SCI).

(12) Indirect SCI systems is defined to mean “any systems of, or operated by or on behalf of, [the entity] that if breached, would be reasonably likely to pose a security threat to SCI systems” (Rule 1000 of Reg. SCI).

(13) Proposed rule change is defined to mean “any proposed rule or any proposed change in, addition to, or deletion from the rules of the self-regulatory organization” (Section 19(b)(1) of the Exchange Act). Exchange Act Rule 19b-4(c) states that “a stated policy, practice, or interpretation of the self-regulatory organization shall be deemed to be a proposed rule change unless: (1) it is reasonably and fairly implied by an existing rule; or (2) it is concerned solely with the administration of the self-regulatory organization and is not a stated policy, practice or interpretation with respect to the meaning, administration, or enforcement of an existing rule of the self-regulatory organization.” The term “stated policy, practice, or interpretation” includes “any material aspect of the operation of the facilities of the self-regulatory organization” (Exchange Act Rule 19b-4(a)(6)).

Screen Shot 2019-09-19 at 16.12.00.png
Central Counterparty (CCP): Options Clearing Corporation $20 Million Fine: A Critique by Storm-7 Consulting – PART III (SEC ORDER)

Introduction

This four-part blog will provide an analysis of the $20 million fine imposed on The Options Clearing Corporation, and a critique of the Orders imposed by the United States Securities and Exchange Commission and the United States Commodity Futures Trading Commission. The first two parts of the blog will cover the Order made by the Commodity Futures Trading Commission which imposed a $5 million fine, and the second two parts of the blog will cover the order made by the Securities and Exchange Commission which imposed a $15 million fine.

 

About Options Clearing Corporation

“Founded in 1973, OCC is the largest clearing organization in the world for equity derivatives. Operating under the jurisdiction of the U.S. Securities and Exchange Commission (SEC) and the U.S. Commodity Futures Trading Commission (CFTC), OCC issues and clears U.S.-listed options and futures on a number of underlying financial assets including common stocks and stock indexes. OCC’s clearing membership consists of approximately 100 of the largest U.S. broker-dealers, U.S. futures commission merchants and non-U.S. securities firms representing both professional traders and public customers. The stockholder exchanges share equal ownership of OCC. This ownership, along with a significant clearing member and public director presence on the Board of Directors, ensures a continuing commitment to servicing the needs of OCC’s participant exchanges, clearing members and their customers. OCC provides clearing services for options, financial and commodity futures, security futures, securities lending transactions and over-the-counter index options.”

 

Background

On 4thSeptember 2019 the United States (US) Securities and Exchange Commission (SEC or the Commission) and the US Commodity Futures Trading Commission (CFTC) announced that The Options Clearing Corporation (OCC) would be undertaking remedial efforts and had agreed to pay $20 million in penalties in lieu of settlement of charges that it failed to implement policies to manage certain risks as required by US laws and SEC and CFTC rules.

 

Proceedings Before the SEC

The SEC Order noted that because OCC was the sole registered clearing agency for exchange listed option contracts in the US, it had been designated as a ‘Systemically Important Financial Market Utility’ (SIFMU). [i] The SEC Order further observed that:

“OCC serves as sole registered clearing agency for exchange listed option contracts in the United States… Disruption to OCC’s operations, or failure by OCC to manage risk, could result in significant costs not only to OCC itself and its members, but also to other market participants or the broader U.S. financial system.

As a registered clearing agency, OCC is a self-regulatory organization under the Exchange Act. Self-regulatory organizations are charged with an important public trust to carry out their self-regulatory responsibilities effectively and fairly, while fostering free and open markets, protecting investors, and promoting the public trust.”

 

Material Representations by OCC

In it’s 2017 Annual Report entitled “Innovate, Educate, Advocate” (as of 31st December 2017), OCC expressly stated in Note 17. Contingencies, at page 47:

“In the normal course of business, OCC may be subject to various lawsuits and claims. In addition, as a regulated entity, OCC is subject to examinations by the SEC and CFTC. From time to time, such examinations result in regulatory findings or other matters, the resolution of which could in the future include remediation or fines. At December 31, 2017, there was no outstanding litigation or regulatory matters that would have a material adverse effect on the financial statements.”

In its 2018 Annual Report entitled “Clear the Path” (as of 31st December 2018), OCC expressly stated in Note 17. Contingencies, at page 46:

“In the normal course of business, OCC may be subject to various lawsuits, claims, and other legal proceedings. In addition, as a regulated entity, OCC is subject to examination by the SEC and CFTC. In connection with these regulatory and legal matters, OCC has accrued $15 million as of December 31, 2018. Actual settlement amounts may exceed amounts accrued and such amounts could be material.”

 

Rule 17Ad-22(e) under the Exchange Act

Rule 17Ad-22(e) sought to establish standards for registered clearing agencies that met the definition of “covered clearing agency” (CCA), and was first proposed in March 2014. The Commission adopted it in October 2016, and since OCC was a CCA for the purposes of the rule, it was required to comply by 11th April 2017. The rule was adopted in order to impose consistent, higher minimum risk management standards across all CCAs, and also in order to mitigate the potential for any moral hazard associated with risk management at a CCA.

 

OCC’s Failure to Comply

Despite the fact that the Commission staff had notified OCC of material weaknesses with its policies and procedures that could result in violations of Rule 17Ad-22(e) and Reg. SCI [ii], if they were not corrected before the required compliance dates, OCC failed to comply with these rules by the required compliance dates.

The Commission alleged that OCC had failed to establish, implement, maintain and enforce policies and procedures reasonably designed to:

(1) review its risk-based margin models and the parameters for those models on a monthly basis;

(2) consider and produce margin levels commensurate with the risks and particular attributes of each relevant product cleared by OCC;

(3) effectively measure, monitor, and manage its credit exposure and liquidity risk;

(4) maintain a comprehensive risk management framework;

(5) protect the security of certain of its information systems; and 

(6) provide for a well-founded, clear, transparent and enforceable legal framework for every aspect of its activities.

In addition, it was alleged that OCC had also failed to comply with Section 19(b) of the Exchange Act and Rule 19b-4(c), by adopting and changing certain policies prior to obtaining Commission approval. [iii]

OCC was legally required to comply with Reg. SCI by 2rd November 2015.

OCC was legally required to comply with Rule 17Ad-22(e) by 11th April 2017.

Prior to, and throughout this period, the firm’s legal counsel was under a duty to the OCC to inform and update the management of OCC and/or the Board about its legal responsibilities and duties as required by US laws and SEC and CFTC rules. Any good US law student with a basic understanding of US laws and SEC and CFTC rules would have been able to clearly identify such legal obligations. 

A legal counsel working for the largest clearing organization in the world for equity derivatives would have known about these requirements without fail. Consequently, there seems to be questions that ostensibly the SEC and the CFTC have not dealt with in their respective Orders. 

If the 2nd November 2015 deadline had passed, then OCC’s legal counsel should have known that OCC was not legally compliant with the requirements mandated by Reg. SCI.

If the 11th April 2017 deadline had passed, then OCC’s legal counsel should have known that OCC was not legally compliant with the requirements mandated by Rule 17Ad-22(e).

Assuming this is the case, and it was prima facie alleged by the SEC that the OCC was in breach of these legal requirements, and that such breaches warranted investigation by the SEC and/or would potentially be subject to civil fines and negative reputational damage. 

How can it be that in its 2017 Annual Report the OCC was able to unequivocally say:

“At December 31, 2017, there was no outstanding litigation or regulatory matters that would have a material adverse effect on the financial statements.”

Could such a statement amount to a misrepresentation to existing and/or potential shareholders who were relying on the OCC to inform them about any matters that could negatively impact OCC’s share price?  

Indeed, the question to be asked is could this be legally interpreted in any way as to be misinforming the public vis-à-vis the financial affairs and/or share price of the OCC via the OCC’s 2017 Annual Report? 

 

OCC Failures

The SEC Order found that OCC had failed to establish, implement, maintain, and enforce policies and procedures reasonably designed to:

(1) REVIEW ITS RISK-BASED MARGIN MODELS AND THE PARAMETERS FOR THOSE MODELS ON A MONTHLY BASIS [iv];

Exchange Act Rule (EAR) 17Ad-22(b)(2) mandates that a Registered Clearing Agency (RCA) establish, implement, maintain, and enforce written policies and procedures reasonably designed to use risk-based models and parameters to set margin requirements and review such margin requirements and the related risk-based models and parameters at least monthly.

Although OCC was required to comply with this rule by 2nd January 2013, by April 2017, MORE THAN 3 YEARS LATER, OCC had still not complied with this legal requirement.

The Commission had noted that “[m]arket conditions and risks are constantly changing and therefore the models and parameters used by a clearing agency providing [central counterparty] services to set margin may not accurately reflect the needs of a clearing agency if they are permitted to remain static.”

In practice it is crucial for CCPs to ensure that their risk-based margin models are continuously accurate, and that they are reviewed and updated regularly to take into account socioeconomic indicators and trends; political moderating factors; geographical moderating factors; global, regional, and national trends; and other moderating or influencing factors. 

For example, a hurricane in the Caribbean could significantly affect commodity exports from those islands affected in the Caribbean. This in turn could then impact commodity prices of related exchange traded products. If risk-based margin models remain static in a month, then, for example, the same August 2019 margin amounts might be called for September 2019 oil derivatives, even though they may no longer be equivalent, in terms of underlying risk, as August 2019 oil derivatives. 

Moreover, such risk-based margin models also need to be calibrated to take into account financial stress indicators. For example, Monin (2019)[v]defines financial stress as disruptions in the typical functioning of financial markets. It is further noted that symptoms of financial stress can be informed by both theory and practice, and in practice may include uncertainty about the fundamental value of financial assets or the behaviour of investors; increased asymmetric information; and a decreased willingness to hold risky or illiquid assets (Monin, 2019). Examples of the Office of Financial Research (OFR) Financial Stress Index (FSI) category definitions include: (1) credit; (2) equity valuation; (3) funding; (4) safe assets; and (5) volatility (Monin, 2019).

The more accurately these risk-based models and parameters are calibrated and regularly reviewed, the more likely it is that a RCA will be effectively fulfilling its role and maintaining balanced market conditions. In the case of the OCC, owing to its status as a SIFMU it was a fortiori required to ensure that its risk-based margin models were calibrated as accurately as possible, and regularly reviewed to ensure such accuracy because of the potentially significant risks and costs to other market participants and to the broader US financial system.

 

(2) CONSIDER AND PRODUCE MARGIN LEVELS COMMENSURATE WITH THE RISKS AND PARTCULAR ATTRIBUTES OF EACH RELEVANT PRODUCT CLEARED BY OCC;

EAR 17Ad-22(e)(6)(i) mandates that a CCA establish, implement, maintain, and enforce policies and procedures that are reasonably designed to cover its credit exposures to its participants by establishing a risk-based margin system that inter alia considers, and produces margin levels commensurate with, the risk and particular attributes of each relevant product, portfolio, and market.

Although OCC was required to comply with this rule by 11thApril 2017, at the time of the SEC Order it had still not complied with this legal requirement. The SEC Order stated:

“Specifically, OCC’s margin model fails to consider the impact of market liquidation costs, including bid-ask spreads and other transaction-based costs, as well as the potential market impact of liquidation activity. 

OCC’s margin model also fails to consider specific wrong way risk associated with cleared securities which are related to clearing members.

Specific wrong-way risk arises at a [central counterparty] when an exposure to a participant is highly likely to increase when the creditworthiness of that participant is deteriorating.”

The failure of OCC’s margin model to consider the impact of market liquidation costs, bid-ask spreads, other transaction-based costs, and the potential market impact of liquidation activity has been considered and discussed in PART I of this Blog series.

As regards the failure of OCC’s margin model to consider specific wrong way risk (WWR), this issue will be discussed here in further depth. 

WWR refers to unfavourable dependencies (e.g. between the value of margin held and creditworthiness of clearing members). So, for example, margin held by a CCP should not be wrong-way, e.g. correlated to the default of the counterparty in that a counterparty posts their own bonds or equity) (Gregory, 2014).[vi]

It is important to differentiate between two distinct types of WWR, which can apply to exposure or margin-related linkages, these are: (1) General WWR; and (2) Specific WWR (Gregory, 2014). General WWR refers to linkages arising from macroeconomic relationships (e.g. interest rates being correlated to credit spreads), whereas Specific WWR arises from specific factors affecting a counterparty (e.g. a ratings downgrade by ratings agency Moody’s) (Gregory, 2014).

According to Eurex Clearing, “Wrong-way risk is defined as the potential loss which Eurex Clearing may suffer during the Default Management Process, due to an unfavorable interrelatedness between the counterparty’s creditworthiness, the value of its collateral pool and the value of its portfolio.” 

If OCC’s margin models had failed to consider specific WWR associated with cleared securities related to clearing members, then this presented a highly significant potential problem for the OCC in terms of accurately identifying the real extent of counterparty risk which the OCC had calculated. This is because if the OCC’s margin models had calculated counterparty risk, but had failed to account for potential specific WWR relevant to specific clearing members in such models, then the OCC was potentially exposed to an unknown quantity of specific WWR for each clearing member, and cumulatively, this could amount to a very large unknown quantity of specific WWR that could materialise in the event of one or more counterparty defaults.

An example of WWR pertinent to put options is set out below for illustrative purposes:

“If a put option for corporate stock correlates highly with counterparty default probability, when the underlying share price declines, the value of the put option (in this case the exposure) increases at the same time that the probability of counterparty default increases. As a result, this wrong-way risk causes a sharp increase in overall risk” (Inamura et al., 2012). [vii]

 

Eurex Clearing identifies its approach to WWR and the actions it takes with regards to WWR:

“To safeguard the overall integrity of the Clearing House and to protect the mutualizing Default Fund, we conduct an internal credit assessment of all counterparties and perform continuous monitoring of credit, concentration and wrong-way risks. This enables us to guarantee fulfilment of all obligations towards counterparties even under extreme market conditions.

The first step in which we avoid wrong-way risk is that we do not allow counterparties to deposit own issues (or issues of closely linked entities) as collateral. Moreover, counterparties are not entitled to use such instruments as collateral for repo transaction or securities lending transactions.

In case Clearing Members enter into positions, where they are exposed to the performance of their own stock (e.g. derivatives on their own stock) or other instruments issued by themselves or entities belonging to the same legal group, these positions are collateralized based on the assumption that the underlying becomes worthless in a default scenario. 

Resources which have already been provided to secure these positions (i.e. dedicated Total Margin Requirement on single position level as well as derived Default Fund contributions) are deducted before the final Supplementary Margin for the own issue positions is calculated. 

A daily monitoring process ensures a tight control of any own issue position. For a more efficient collateral management process on the Clearing Member side, the Supplementary Margins are charged weekly based on the largest excess (i.e. Loss given default minus already provided resources) over the previous week.

By defining dedicated wrong-way risk limits, we are taking additional steps to minimize such risk. These limits are applicable to a counterparty’s collateral pool and the counterparty’s notional exposure.”

The sheer size and negative impact of WWR was clearly and unequivocally demonstrated in the previous sub-prime crisis. Consequently, given the clear and significant problems that were demonstrated by unanticipated effects of WWR during the sub-prime crisis, it was the OCC’s duty to ensure that its margin models identified and incorporated potential WWR and thereby mitigated its effects across its clearing members in order to ensure it operated a robust CCP clearing system.

 

(3) COVER ITS CREDIT EXPOSURE;

EAR 17Ad-22(e)(4)(iii) mandates that a CCA (that is not subject to EAR 17Ad-22(e)(4)(ii)) must establish, implement, maintain, and enforce written policies and procedures that are reasonably designed to maintain additional financial resources at a minimum to enable it to cover a wide range of foreseeable stress scenarios. 

EARs 17Ad-22(e)(4)(vi)(A)-(D) mandate that a CCA establish, implement, maintain, and enforce written policies and procedures that are reasonably designed to test the sufficiency of its total financial resources available to meet the minimum requirements [viii] by: 

(1) stress testing its total financial resources once each day using standard predetermined parameters and assumptions;

(2) comprehensively analyzing its stress scenarios, model and underlying parameters and assumptions on at least a monthly basis;

(3) comprehensively analysing its stress testing scenarios, models, parameters, and assumptions more frequently than monthly during periods of stress and/or volatility; and 

(4) reporting the results of its stress testing analyses to appropriate decision makers.

Although OCC was required to comply with these rules by 11th April 2017, through at least 4th September 2018 it had still failed to comply with these legal requirements.

It was noted that instead of complying with these requirements, OCC had implemented policies and procedures that determined the monthly sizing of its clearing fund based on a daily calculation of its stress testing exposures utilizing only A LIMITED NUMBER OF SCENARIOS.

The failure of the OCC to cover its credit exposure through stress testing was dealt with in PART I of this Blog. However, some commentary will be made here regarding the OCC’s use of only a limited number of scenarios vis-à-vis its legal stress testing obligations. The main difficulty with utilizing only a limited number of scenarios is that this makes it highly likely that the monthly sizing of its clearing fund does not in actuality reflect the realities of the underlying markets in which the OCC operates. This is highly problematic in practice, because it means that the OCC is potentially not actually fulfilling its role, not only as a CCP, but also as a SIFMU, because it is not robustly addressing all the stress scenarios to which it might be exposed in time of normal markets, and also to which it might be potentially exposed, in times when the markets are subject to financial stress.

In practice, stress scenarios need to be created for each asset class that is in use by the OCC, as well as shifting relevant risk factors in particular markets in order to account for the relevant assumed period of risk, i.e. stress period of risk will differ depending on the underlying asset class and the relevant risk factors that have been shifted.

Stress scenarios then need to be calibrated according to extreme but plausible scenarios, and then those scenarios are broken down into:

(1) historical scenarios (i.e. extreme and well-known events, such as the Lehman Default and the Global Financial Crisis (2008) the Cyprus Financial Crisis (2013); and the Brexit Referendum (2016)); 

(2) hypothetical scenarios (i.e. forward-looking scenarios simulating extreme risk factor movements for all cleared asset classes and products simultaneously by combining selected constellations of up and down moves across asset classes)[ix];

(3) correlation stress scenarios (i.e. special hypothetical scenarios that additionally stress the correlations between single risk factors);

(4) global scenarios (i.e. condensing information from a large number of asset class-specific forward-looking hypothetical scenarios to a smaller number of concise scenarios) (Eurex Clearing, 2019).

As can be seen, if these stress scenarios need to be calculated for multiple asset classes under different market conditions, then calculating stress testing exposures on a daily basis utilizing only a limited number of scenarios would seem to fall very short of the requirements needed to ensure accuracy of financial resources required on a month-to-month basis.

[TO BE CONTINUED]

ENDNOTES

[i] Under Title VIII of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank Act).

[ii] Regulation Systems, Compliance, and Integrity under the Exchange Act (Reg SCI) was adopted by the Commission in November 2014 in order to strengthen the technology infrastructure of US securities markets, and also in order to reduce the occurrence of systems issues, improve resiliency when systems problems occurred, and enhanced the Commission’s oversight and enforcement of technology infrastructure of securities markets. OCC had until 3rdNovember 2015 to comply.

[iii] It was therefore alleged that owing to its conduct, OCC had violated Section 17A(d)(1) of the Exchange Act and Rules 17Ad-22(b)(2), 17Ad-22(d)(1), 17Ad-22(e)(1), 17Ad-22(e)(3)(i), 17Ad-22(e)(4)(iii) and (vi), 17Ad-22(e)(6)(i), and 17Ad-22(e)(7)(i) and (vi) thereunder; ;Rules 1001(a)(1) and (2) of Reg. SCI under the Exchange Act; and Section 19(b) of the Exchange Act and Rule 19b-4 thereunder.

[iv] Violation of Exchange Act Rule 17Ad-22(b)(2).

[v] Monin, P.J. (2019). The OFR Financial Stress Index. Risks, 7, 25; doi:10.3390/ risks7010025.

[vi] Gregory, J. (2014). Central Counterparties. Mandatory Clearing and Bilateral Margin Requirements for OTC Derivatives. John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex.

[vii] Inamura, K.; Hattori, A.; Fukuda, Y.; Sugihara, Y.; Teranishi, Y. (2012). Wrong-way risk in OTC derivatives and its implication for Japan’s financial institutions.’ Bank of Japan Review, (June), pp.1-6.

[viii] As stipulated in EAR 17Ad-22(e)(4)(i) through (iii).

[ix] Eurex Clearing (2019). Stress scenarios and exposure aggregation.

Central Counterparty (CCP): Options Clearing Corporation $20 Million Fine: A Critique by Storm-7 Consulting – PART II (CFTC ORDER)

Introduction

This four-part blog will provide an analysis of the $20 million fine imposed on The Options Clearing Corporation, and a critique of the Orders imposed by the United States Securities and Exchange Commission and the United States Commodity Futures Trading Commission. The first two parts of the blog will cover the Order made by the Commodity Futures Trading Commission which imposed a $5 million fine, and the second two parts of the blog will cover the order made by the Securities and Exchange Commission which imposed a $15 million fine.

About Options Clearing Corporation

“Founded in 1973, OCC is the largest clearing organization in the world for equity derivatives. Operating under the jurisdiction of the U.S. Securities and Exchange Commission (SEC) and the U.S. Commodity Futures Trading Commission (CFTC), OCC issues and clears U.S.-listed options and futures on a number of underlying financial assets including common stocks and stock indexes. OCC’s clearing membership consists of approximately 100 of the largest U.S. broker-dealers, U.S. futures commission merchants and non-U.S. securities firms representing both professional traders and public customers. The stockholder exchanges share equal ownership of OCC. This ownership, along with a significant clearing member and public director presence on the Board of Directors, ensures a continuing commitment to servicing the needs of OCC’s participant exchanges, clearing members and their customers. OCC provides clearing services for options, financial and commodity futures, security futures, securities lending transactions and over-the-counter index options.”

Background

On 4th September 2019 the United States (US) Securities and Exchange Commission (SEC) and the US Commodity Futures Trading Commission (CFTC) announced that The Options Clearing Corporation (OCC) would be undertaking remedial efforts, and that they had agreed to pay $20 million in penalties in lieu of settlement of charges that it had failed to implement policies to manage certain risks as required by US laws and SEC and CFTC rules.

[CONTINUED]

(3) FULLY STRESS TEST ITS CREDIT EXPOSURE;

A DCO is required to have adequate financial, operational, and managerial resources to discharge each responsibility of the DCO.

A DCO is also required to maintain financial resources sufficient to cover its exposures with a high degree of confidence and to enable it to perform its functions in compliance with its Core Principles.

In addition, a DCO is required to perform, on a monthly basis, stress testing that will allow it to make a reasonable calculation of the necessary financial resources. Such stress testing must take into account both historical data and hypothetical scenarios.

It was found that at least through to 4th September 2018, the OCC had failed to fully establish, implement, maintain, and enforce policies and procedures requiring monthly stress testing of its financial resources.

In April 2015, the European Association of CCP Clearing Houses (EACH) published its ‘Best practices for CCPs stress tests’. The paper sought to provide guidance on an overview of best practices with regard to how CCPs perform stress tests. This included discussion of principles to apply when CCPs perform stress tests, as well as risk management areas subject to best practice.

In August 2015, CME Group published its ‘Principles for CCP Stress Testing’, which covered areas such as CCP Risk Management Enterprise; Scenario Standardization and Stress Testing Transparency; and Principles for Stress Testing in depth.

In April 2018 the Committee on Payments and Markets Infrastructures and the Board of the International Organization of Securities Commissions published the highly comprehensive ‘Framework for supervisory stress testing of central counterparties (CCPs)’. This contained highly extensive discussions about the processes involved in CCP stress testing, the use of stress scenarios, identification of risk exposures and sources, as well as analytical metrics.

In April 2019 the US CFTC published its report entitled ‘CCP Supervisory Stress Tests: Reverse Stress Tests and Liquidation Stress Test’. The report analysed reverse stress tests of CCP resources, together with an analysis of stressed liquidation costs. The reverse stress test identified potentially implausible scenarios extreme enough to exhaust all pre-funded resources available to a CCP. The report noted that:

“The analysis of stressed liquidation costs was structured to evaluate whether CCPs had sufficiently pre-funded resources to meet both the payment obligations resulting from a house account default concurrent with an extreme market move, as well as greater than expected costs resulting from hedging and auctioning the positions of the defaulting CM.”

This stress test would allow a DCO to undertake a reasonable calculation of necessary financial resources, as well as taking into account both historical data and hypothetical scenarios.

The point being made here is simple.

In modern times there is a significant body of literature that pertains to the development of modern, accurate, and comprehensive CCP stress tests, and a host of highly qualified financial engineers who can accurately calibrate margin models and run CCP diagnostic stress tests. The US CFTC is on its third set of CCP supervisory stress tests which is the same as its European Union (EU) counterpart, the European Securities and Markets Authority (ESMA) which launched its third EU-wide CCPs stress test earlier in 2019.

Why is it then that, despite the fact that OCC was formed in 1973; notwithstanding it has decades of operational experience; and also that problems with its risk management practices were raised and identified by federal regulators in 2013; in September 2018 it had still failed to fully establish, implement, maintain, and enforce policies and procedures requiring monthly stress testing of its financial resources – a basic necessity for all modern CCPs?

(4) FULLY MAINTAIN A COMPREHENSIVE RISK MANAGEMENT FRAMEWORK;

A DCO is required to ensure that it possesses the ability to manage the risks associated with discharging the responsibilities of the DCO through the use of appropriate tools and procedures.

A DCO is also required to establish and maintain written policies, procedures, and controls (approved by its board of directors), which establish an appropriate risk management framework that, at a minimum, clearly identifies and documents the range of risks to which the DCO is exposed, and addresses the monitoring and management of the entirety of those risks, and provides a mechanism for internal audit. This risk management framework is required to be regularly reviewed and updated as necessary.

It was found that to date the OCC had failed to fully establish, implement, maintain, and enforce policies and procedures reasonably designed to manage the credit and liquidity risks associated with discharging its responsibilities as a DCO.

The OCC had also failed to establish, implement, maintain, and enforce policies and procedures reasonably designed to manage its operational risks.

OCCs failure to establish, implement, maintain, and enforce policies and procedures reasonably designed to manager its credit, liquidity, and operational risks will be dealt with in PART II of this blog.

(5) FULLY PROTECT THE SECURITY OF CERTAIN OCC INFORMATION SYSTEMS.

A DCO is required to establish and maintain a programme of risk analysis and oversight to identify and minimise sources of operational risk through the development of appropriate controls and procedures, and automated systems, that are reliable, secure, and have adequate scalable capacity.

A DCO’s programme of risk analysis and oversight with respect to its operations and automated systems must also address:

“Systems operations, including, but not limited to, system maintenance; configuration management (including, baseline configuration, configuration change and patch management, least functionality, inventory of authorized and unauthorized devices and software); event and problem response and management; and any other elements of system operations including in generally accepted best practices.

In addition, a DCO is required to carry out regular, periodic, and objective testing of its automated systems in order to ensure that they are reliable, secure, and have adequate scalable capacity.

The Order found that as of 3rd November 2015, and continuing through various time periods thereafter, OCC had failed to fully establish and maintain a programme of risk analysis and oversight that was reasonably designed to ensure that its automated systems are reliable, secure, and have adequate scalable capacity.

OCC had failed to establish and maintain policies and procedures that were reasonably designed to:

(1) consistently identify, prioritise, test, and implement vendor-issued patches;

(2) ensure that all network devices, including unused and test network devices, were inventoried; and

(3) ensure security threats would be promptly detected.

OCCs failure to establish and maintain such policies and procedures will be dealt with in PART II of this blog.

CFTC Order Civil Monetary Penalty

In accordance with the terms of the order, OCC was ordered to pay a civil monetary penalty in the amount of $5 million US dollars ($5,000,000) plus post-judgment interest.

OCC Remediations

The remediations undertaken by OCC exemplify the range of alleged lapses in its existing risk management framework. For example, as part of the settlement OCC had undertaken a number of remedial efforts, including:

(1) incorporating stress testing into its clearing fund methodology;

(2) enhancing its margin policy;

(3) changing its daily univariate methodology;

(4) enhancing its implied volatility model;

(5) changing its margin methodology for Volatility Indexes and Volatility Indexes Futures;

(6) self-certified a rule change to incorporate liquidation costs in its margin methodology;

(7) further developed its policies and procedures related to its system safeguards and the security of its information systems.

In addition, although OCC did not admit or deny any of the findings or conclusions of the CFTC Order, it replaced many of its senior executives, including the hiring of a new Chief Executive Officer; a Chief Operating Officer; a Head of Financial Risk Management; a Chief Information Officer; a Chief Security Officer; and heads of control functions.

OCC also increased its expenditures and headcount in specific areas (i.e. risk management, compliance, legal, and information technology).

In addition, although one would have already expected such an institution to have already done this, it retained a qualified independent third party compliance auditor to plan and conduct an audit of OCC’s policies and procedures to determine whether they are reasonably designed to: (1) require review of risk-based margin models and the parameters for those models; (2) stress test its credit exposure; (3) manage its credit, liquidity, and operational risks; (4) identify, prioritize, test, and implement vendor-issued patches; (5) inventory all network devices; and (6) promptly detect security threats.

[TO BE CONTINUED]

ENDNOTES

(1) As determined by the Commission.

(2) Section 5(b)(c)(2)(B)(i) of the Act.

(3) Regulation 39.11(a).

(4) Regulation 39.11(c).

(5) Principle 1 (Relevance); Principle 2 (Structure); Principle 3 (Governance); Principle 4 (Transparency).

(6) Scenarios; Stress period of risk (MPOR); Stress positions and prices; stress liquidity; aggregation; calculation of the stress effect; collateral; allocation; governance; validation; disclosure.

(7) Principle 1 (Dynamic Monitoring of Clearing Member and Client Portfolio); Principle 2 (Conservative Safeguards Sizing and the Waterfall Structure); Principle 3 (Comprehensive Scenario Construction); Principle 4 (Thorough Review to Identify Model Limitations); Principle 5 (Maintaining a Robust Governance Structure); and Principle 6 (Transparent Application of Stress Testing Principles and Practices).

(8) Section 5(b)(c)(2)(D)(i) of the Act.

(9) Core Principle I, Section 5b(d)(2)(I)(i) of the Act, and Regulation 39.18(b)(1).

(10) Regulation 39.18(b)(2)(iv).

(11) Regulation 39.18(e)(1).

 

Central Counterparty (CCP): Options Clearing Corporation $20 Million Fine: A Critique by Storm-7 Consulting – PART I (CFTC ORDER)

Introduction

This four-part blog will provide an analysis of the $20 million fine imposed on The Options Clearing Corporation, and a critique of the Orders imposed by the United States Securities and Exchange Commission and the United States Commodity Futures Trading Commission. The first two parts of the blog will cover the Order made by the Commodity Futures Trading Commission which imposed a $5 million fine, and the second two parts of the blog will cover the order made by the Securities and Exchange Commission which imposed a $15 million fine.

 

About Options Clearing Corporation

“Founded in 1973, OCC is the largest clearing organization in the world for equity derivatives. Operating under the jurisdiction of the U.S. Securities and Exchange Commission (SEC) and the U.S. Commodity Futures Trading Commission (CFTC), OCC issues and clears U.S.-listed options and futures on a number of underlying financial assets including common stocks and stock indexes. OCC’s clearing membership consists of approximately 100 of the largest U.S. broker-dealers, U.S. futures commission merchants and non-U.S. securities firms representing both professional traders and public customers. The stockholder exchanges share equal ownership of OCC. This ownership, along with a significant clearing member and public director presence on the Board of Directors, ensures a continuing commitment to servicing the needs of OCC’s participant exchanges, clearing members and their customers. OCC provides clearing services for options, financial and commodity futures, security futures, securities lending transactions and over-the-counter index options.”

 

Background

On 4th September 2019 the United States (US) Securities and Exchange Commission (SEC) and the US Commodity Futures Trading Commission (CFTC) announced that The Options Clearing Corporation (OCC) would be undertaking remedial efforts, and that they had agreed to pay $20 million in penalties in lieu of settlement of charges that it had failed to implement policies to manage certain risks as required by US laws and SEC and CFTC rules.

 

Proceedings Before the CFTC

As a Derivatives Clearing Organization (DCO), OCC is required to comply with the DCO Core Principles (Core Principles) which establish standards for the operation of DCOs.[i] In the CFTC Order, the CFTC noted that the Core Principles impose inter alia, requirements relating to:

(1) the financial, operational, and managerial resources of a DCO;

(2) risk management standards;

(3) rules and procedures relating to management of clearing member defaults; 

(4) risk analysis and oversight of operations and automated systems; and 

(5) clearinghouse governance standards.

 

The CFTC found that OCC had failed to fully comply with specified Core Principles by failing to establish, implement, and enforce certain policies and procedures reasonably designed to:

(1) consider and produce margin levels commensurate with every potential risk and particular attribute of each relevant product cleared by OCC; and 

(2) effectively measure, monitor, and manage its credit exposure and liquidity risk; and 

(3) protect the security of certain of its information systems.

 

The CFTC Order observed that:

“DCOs are an essential part of the U.S. futures and options markets and, as such, they are required to be structured to manage and reduce risk. In instances where a DCO is not structured and operated appropriately, it can pose a risk to the broader financial system. Disruption to OCC’s operations, or failure by OCC to manage risk, could result in significant costs not only to OCC itself and its members, but also to other market participants.”

 

Material Representations by OCC

In its 2017 Annual Report entitled “Innovate, Educate, Advocate” (as of 31st December 2017), OCC expressly stated in Note 17. Contingencies, at page 47:

“In the normal course of business, OCC may be subject to various lawsuits and claims. In addition, as a regulated entity, OCC is subject to examinations by the SEC and CFTC. From time to time, such examinations result in regulatory findings or other matters, the resolution of which could in the future include remediation or fines. At December 31, 2017, there was no outstanding litigation or regulatory matters that would have a material adverse effect on the financial statements.”

In its 2018 Annual Report entitled “Clear the Path” (as of 31st December 2018), OCC expressly stated in Note 17. Contingencies, at page 46:

“In the normal course of business, OCC may be subject to various lawsuits, claims, and other legal proceedings. In addition, as a regulated entity, OCC is subject to examination by the SEC and CFTC. In connection with these regulatory and legal matters, OCC has accrued $15 million as of December 31, 2018. Actual settlement amounts may exceed amounts accrued and such amounts could be material.”

Failure to Comply with Core Principles B, D, and I

The CFTC Order found that OCC had failed to comply with Core Principles B, D, and I.

The CFTC Order found that OCC had failed to establish, implement, maintain, and enforce policies and procedures reasonably designed to:

(1) REQUIRE REVIEW OF ITS RISK-BASED MARGIN MODELS AND THE PARAMETERS FOR THOSE MODELS ON A REGULAR BASIS;

Core Principle D requires a DCO to ensure that it possesses the ability to manage the risks associated with discharging the responsibilities of the DCO through the use of appropriate tools and procedures.[ii]

A DCO is also required to use margin requirements to cover its potential credit exposures to clearing members, and that each model and parameter used in setting such margin requirements be risk-based and reviewed on a regular basis.[iii]

It was found that OCC failed to fully establish, implement, maintain, and enforce policies and procedures reasonably designed to require review of its risk-based margin models and the parameters for those models on a regular basis.

In February 2018 a spike in a barometer of market sentiment in the US, namely the CBOE Volatility Index (or VIX), spiked in early February, thereby causing a huge cascade of issues in the options market, leaving many traders with significant market losses. 

Subsequent to this event, the SEC and CFTC launched probes into OCC’s risk management models and margin rules to identify whether the clearinghouse for the US options market had failed to accurately anticipate how much liquidity would be needed to cover the losses, i.e. whether there were any rule violations in relation to the calculation of margin levels, stress testing of positions, and maintaining critical computer systems. It is these initial investigations, combined with earlier investigations that culminated in this final review by the CFTC.

A CCP’s margin models are an absolutely fundamental part of its ongoing operations. From an operational perspective, if a CCP’s margin models are not accurate then clearing members (indirect, direct) will be posting too much, or too little margin, depending on the calibration of the margin model. If clearing members post too much margin, then the costs of trading increase and this can hamper market trading and, in turn, market liquidity, thereby affecting market volatility. If clearing members post too little margin, then in the event of adverse market events, and potential defaults of clearing members, the CCP will not hold sufficient margin to cover any potential default scenario and will then have to revert back to using its other default defences as delineated in its default waterfall.

The main points to note here are that the OCC was founded in 1973. In 2001 it was registered with the Commission as a DCO for the clearing of futures contracts and options on futures contracts, and since 2008, it was further authorized to clear commodity options executed on a designated contract market, in addition to futures contracts and options on futures contracts. It therefore had decades of operational experience under its belt.

It is the largest clearing organization in the world for equity derivatives. Moreover, it has been designated as a ‘Systemically Important Financial Market Utility’ (SIFMU)[iv], and therefore it was not only required to set the bar in terms of world class standards, but it was also supposed to lead by example by showcasing best practices globally. Yet, according to the CFTC Order, the OCC had failed an objective test which modestly set the bar at “reasonably designed”, i.e. the policies and procedures to review its risk-based margin models and the parameters for those models on a regular basis were alleged to be not even reasonably designed.

Viewed in such terms, if the allegations were proved to be correct, the OCC would have done an abysmally terrible job at living up to such standards, especially since margin methodologies are one of the most crucial operational aspects of any functional CCP.

 

(2) CONSIDER AND PRODUCE MARGIN LEVELS COMMENSURATE WITH THE RISKS AND ATTRIBUTES OF EACH RELEVANT PRODUCT CLEARED BY OCC;

A DCO is required to establish Initial Margin (IM) requirements that are commensurate with the risks of each product and portfolio, including any unusual characteristics of, or risk associated with, particular products or portfolios, including but not limited to jump-to-default risk or similar jump risk.[v]

The Order noted: “To date, OCC has not fully established, implemented, maintained, or enforced policies and procedures reasonably designed to consider and produce margin levels commensurate with every potential risk and particular attribute of each relevant product and portfolio cleared by OCC. OCC’s margin model fails to fully consider the impact of market liquidation costs, including bid-ask spreads and other transaction-based costs, as well as the potential market impact of liquidation activity.

There are two main aspects relating to this finding. The first is that the top priority for any CCP in operation today, is developing and calculating in a highly accurate way, and recalibrating on a regular basis, what is referred to as ‘the margin period of risk’ (MPOR).

The MPOR is defined as “the term used to refer to the effective time between a counterparty ceasing to post margin and when all the underlying trades have been successfully closed out and replaced (or otherwise hedged)” (Gregory, 2014).[vi] The more accurate the calculation of the MPOR, the more accurate the margin model reflects the margins required to accurately and efficiently deal with a clearing member default. The MPOR combines two periods, namely: 

(1) ‘pre-default’, which represents the time before the counterparty defaults and includes the contractual period for making margin calls (e.g. daily), and operational delays in requesting and receiving margin; margin disputes; settlement of non-cash margin; grace period given from a party failing to post margin to being deemed to be in default; and  

(2) ‘post-default’, which includes the time to close out trades; re-hedging and/or replacement of positions; and auction of trades (Gregory, 2014).

The MPOR will differ depending on the particular type of financial instrument being cleared in question. However, what can be said is that generally speaking derivatives that are traded on an exchange (i.e. Exchange Traded Derivatives (ETD)) are more standardised than over-the-counter (OTC) derivatives that are subsequently cleared on a CCP. Therefore, the market liquidation costs, bid-ask spreads and other transaction-based costs, as well as the potential market impact of liquidation activity, are easier to calculate for ETD than they are for OTC derivatives cleared on a CCP. 

If current CCPs such as Eurex Exchange operating in Germany have developed highly accurate and comprehensive margin models to fully consider the impact of market liquidation costs, bid-ask spreads, and other transaction-based costs, as well as the potential market impact of liquidation activity for OTC cleared derivatives, it is difficult to see why OCC has failed to do so for ETD.

Now, it is at this point that matters become really interesting. In September 2013, following two-and-a-half years of examinations by federal market authorities, regulators levelled a wide-ranging critique of the way OCC managed risk and handled compliance. This included criticisms of the way OCC measured financial risks facing its members, flaws in the way that OCC prepared for market freeze-ups, senior management supervision failures by the OCC’s Board, and improper management of conflicts of interest. A letter sent to OCC dated 8thSeptember 2013 by the SEC stated that:

“[The] excessive number of repeat findings raises a serious concern about OCC’s overall commitment to establishing a culture of regulatory compliance and, more specifically, its ability to timely and adequately address the Staff’s findings.”

At the time, Jim Binder, spokesman for OCC enunciated that:

“We are diligently working on a response that will confirm our commitment to resolving the issues identified in the letter, and that will describe the processes that we’ve put in place over the last year or so to prevent a recurrence of similar shortcomings in the future.”

Jim Binder noted that the OCC was taking the SEC examination letter “very seriously”. In fact, it was taken so seriously that more than five years later the OCC was hit with a $20 million fine for pretty much the same failures identified previously.

 

[TO BE CONTINUED]


ENDNOTES

[i] As a condition of registration under Section 5b of the Commodity Exchange Act (CEA), 7 U.S.C. § 7a-1 (2012), and implementing provisions set forth in Part 39 of the Commission’s Regulations (Regulations), 17 C.F.R. pt. 39 (2019).

[ii] Section 5b(c)(2)(D)(i) of the Act.

[iii] Regulation 39.13(f) and (g)(1).

[iv] Under Title VIII of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank Act).

[v] Regulation 39.13(g)(2)(i).

[vi] Gregory, J. (2014). Central Counterparties. Mandatory Clearing and Bilateral Margin Requirements for OTC Derivatives. John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex.