Showing posts with label BIS. Show all posts
Showing posts with label BIS. Show all posts

Saturday 24 July 2021

The Sad State of BCP and Cyber Risk Planning at Financial Market Infrastructure Institutions

Nine Years Thundering Toward the Station
Alas, Yet to Arrive

Here I am again making what no doubt could be labeled as an “overdue wake up call” by the chronically somnolent or perhaps as a “sobering fact” by the habitually intoxicated.

On 21 July the BIS Committee on Payment and Market Infrastructures published a joint report with the Board of International Organization of Securities Commissions on a level 3 evaluation of implementation of Principles for Financial Market Infrastructures (PFMI).

Before beginning my rant, a couple of notes.

The PFMI were issued in 2012, which would appear to be some nine years ago, if my arithmetic is correct.

The PFMI were issued to set standards for Business Continuity Planning (BCP) and Recovery of Operations for systemically important and therefore critical financial market infrastructure institutions:

  • payment systems (PS)

  • central securities depositories (CSD)

  • central counterparties (CCP),

  • securities settlement systems (SSS) and

  • trade repositories (TR).


To be clear we’re talking about payment systems, e.g., CHIPS, CHAPS, Fedwire not individual banks. For the other categories, some US examples: DTCC, NSCC, FICC, etc.

The rationale is to require these critical market infrastructure institution to have effective BCPs to restore service in the event of disruptions. In that regard think of power blackouts, 9-11, and yes cyber attacks.

Here is the link to the BIS CPMI page on the PFMI which contains additional details.

In addition to the PFMI, you will notice that there are also an additional eight guidance papers on implementation of the PFMI.

Among those there is a 2016 guidance paper on cyber risks. Applying the same arithmetic as above, that would appear to be five years ago.

The July joint BIS CPMI/IOSCO-OICU IMSG (Implementation Monitoring Standing Group) reviewed the business continuity planning practices at a sample of 38 FMIs from 29 jurisdictions during 2019-2020.

The sample comprised 14 PSs, 15 CSDs/SSSs, five CCPs and four TRs.

The study was conducted by reviewing responses to a questionnaire.

That is, based on assertions made by the respondents rather than an on site investigation.

If you’re like me, you might find that a bit chilling given the results. 

If you're willing to self-certify to failure, isn't it likely the the failure is even more egregious?

So what were the findings?

1.2.1 Timely recovery in the event of a wide-scale or major disruption

The IMSG has identified one serious issue of concern, which is that the business continuity management of some, and potentially many, FMIs does not seem to “aim for timely recovery of operations and fulfilment of the FMI’s obligations, including in the event of a wide-scale or major disruption”, as expected by the Operational Risk Principle (Principle 17). Furthermore, based on the information provided by the participating FMIs, there are doubts about whether their business continuity plans are designed to “ensure that critical information technology (IT) systems can resume operations within two hours following disruptive events” and “enable the FMI to complete settlement by the end of the day of the disruption, even in case of extreme circumstances” as expected by KC6. [That’s Key Consideration 6 in Principle 17]. Given this is a serious area of concern, the CPMI and IOSCO expect the relevant FMIs and their supervisors to address this as a matter of the highest priority.

Given that the PFMI were issued some 9 years ago and implementation is still deficient, the use of the term “highest priority” is perhaps both an indication of importance as well as a bit of sarcasm. That being said, the IMSG only “expects” this to be done. No doubt as they have expected implementation over the past nine year.

The IMSG’s findings continue:

While almost all of the surveyed FMIs indicated that they have business continuity plans (BCPs) designed to meet this requirement, there is evidence that leads the IMSG to question this. In terms of specific evidence:

  • A few of the surveyed FMIs do not explicitly aim for the 2hRTO, even for wide-scale physical (noncyber) disruptions.

  • One of the surveyed FMIs acknowledges that its secondary site does not have a distinct risk profile from that of its primary site.

  • A small number of FMIs stated that they did not have alternative arrangements to allow for the processing of time-critical transactions. Of those that did have such arrangements, some relied solely on manual and paper-based alternative arrangements.

  • A few FMIs indicated that they do not have specific plans to mitigate potential widespread staff unavailability. This suggests that these FMIs may have difficulty completing settlement if this were to occur.

Mighty disappointing” to use a technical financial market term.

Inverse kudos to the respondent that apparently will rely on manual paper-based systems. Systemically important FMIs are likely to be ones that process “lots” (that’s another technical financial term) of transactions.

But you ask what about cyber attacks?

1.2.2 Cyber risk

Principle 17 states that “[a]n FMI should identify the plausible sources of operational risk, both internal and external, and mitigate their impact through the use of appropriate systems, policies, procedures, and controls…” The IMSG has identified one issue of concern, which is that a few FMIs in the sample did not provide specific BCP objectives with respect to cyber risk. Among the FMIs that have specific BCP objectives with respect to cyber risk, only a few explicitly acknowledged the breadth and depth of potential cyber attacks and the complexities of cyber risks that their BCPs may not be able to cover.

While not as serious as the previous risk in the assessment of the IMSG, I think this qualifies as very serious.

  • The probability of a cyber attack may be higher than some of the other risks of disruption and the impact much greater.

  • If computer networks are hacked, critical information even that at backup sites may be unavailable or destroyed.

Particularly, if the attack is the work of a state actor.

That would be a different kettle of fish than a natural disaster. Or even a 9-11 style attack.

Wednesday 12 August 2020

The Importance of Hong Kong to the PRC as a Global Commercial Banking Center

 


I’ve posted earlier on HK overall position as a global commercial banking center Part 1 here and Part 2 here.

Today I’ll look at the importance to the PRC of HK as a global commercial banking center using 31 December 2019 comparatives.

This will not be a comprehensive analysis but rather a set of data points.

Hopefully sufficient to convince you that HK is very important to the PRC as a source of funding.

If you’re wondering why I have “ignored” capital raising and other services, the answer is that this information is already well covered in the IMF December 2019 Article IV PIN for the HKSAR which covers trade, including re-export from/to China, equity and bond capital raising, etc. Well worth a look.

We’ll be looking at HK’s importance in terms of:

  1. Cross-border transactions with the PRC
  2. Mainland related non-bank transactions as defined by the HKMA.
Summary

  1. Hong Kong is responsible for more than 40% of the cross-border financing provided to the PRC by commercial banks.
  2. Its share is 5x that of the second largest cross border financing country.
  3. The amount HK provides to the non-banking sector under HKMA’s wider “Mainland” related standard is 3.4x the cross-border financing it provides that sector.
  4. Based on the above, HK is a critical source of funding to the PRC.
Sources

The sources for this analysis are the BIS’s Locational Banking Statistics. (LBS) and HKMA’s Monthly Statistical Bulletin.

Technical Notes on BIS LBS

Before getting into the analysis, some comments on LBS statistics.

These are based on reporting by banks in 48 countries. The BIS estimates that the LBS “capture” 94% of total cross-border banking transactions.

LBS reporting is based on residency not nationality or ultimate ownership, both for reporting banks and their customers.

The one exception is BIS Table A4. It is based on nationality of reporting bank resident in one of the BIS LBS 48 reporting countries, irrespective of its location. That means that the claims and liabilities of all "French" banks resident in the LBS 48 reporting countries are aggregated and presented under "France".

Claims and Liabilities on countries (Tables A3, A6.1 and A6.2) are based on LBS reporting country banks” exposures to residents of the named country. 

Using the PRC as an example, LBS reporting banks’ exposure to a PRC entity in say the UK is not reflected in these statistics as PRC exposure. But rather as UK exposure. Exposure to a European company in the PRC is reported as PRC exposure.

Data in the LBS reports is not consolidated. It includes intragroup transactions. These primarily consist of bank intragroup deposit placement and loans.

Now to the analysis.

Hong Kong Has the Dominant Share in the PRC’s Cross-Border Claims and Liabilities

For this exercise, I am using the BIS Table A3-S and BIS Table A6.2 -S as of 31 December 2019.

As per Table A3-S banks in LBS countries—except for those resident in the PRC—had Claims equivalent to USD 944 billion (USD 553 billion for banks and USD 378 billion for non banks) and Liabilities equivalent to USD 779 billion (USD 523 billion for banks and USD 247 billion for non banks) to the PRC.

You’ll notice that in this table roughly USD 13 billion Claims and USD 9 billion in Liabilities are not allocated to either the bank or non-bank sectors.

In Table A6.2-A the BIS has “allocated” these two amounts to the banking sector probably for convenience. You will also notice that the positions of the countries identified do not equal Total Claims and Liabilities.

In any case, these amounts are small enough that they are not going to effect the broad conclusion. 

The following two charts set out the relative position of HK resident banks vis-a-vis the other LBS reporting country banks with significant positions.



As is clear from the above, Hong Kong resident banks dominate cross-border transactions with the PRC with Claims of USD 384 billion and Liabilities of USD 336 billion equivalent.

In terms of Claims, Japan, the second largest country counterparty, has a share one-fifth of HK. 

In terms of Liabilities, the USA, the second largest country counterparty, has a share one-third of HK’s.

HK Resident Banks’ Mainland-Related Non Bank Exposures

In 2013 the HKMA began requiring HK resident banks to report additional details of their total Mainland related non bank business quarterly.

“Non bank” means that exposure to banks is not included.

This report has a wider scope than transactions that qualify for the cross-border Table T031101. It therefore provides a wider measure of the financing HK provides the PRC.

First, it covers not only all HK resident banks but also HK incorporated banks’ subsidiaries and branches located in the Mainland.

Second, it covers a wider range of transactions. For example, if a HK resident bank lends to say Tesla USA for the specific purpose of building a factory in China, that loan is reported here.

Details of these requirements can be found in the January 2018 revision to the original 2013 Circular. If you read this you’ll see just how “wide” HKMA’s “Mainland related” definition is.

The HKMA publishes some of the data from these reports as part of its Monthly Statistical Bulletin Section 3.13 “Mainland-Related Lending and Other Non-Bank Exposures”.

With this data we can get a wider view of HK’s role in providing finance to the PRC as well as the importance of that role.

First, let’s look at total Mainland-Related lending as per HKMA’s T031301.


The first thing you’ll notice is that Mainland-Related Non-Bank Lending is some 3.4 x Cross Border Claims on the PRC Non-Banking Sector as reported in T031101.

Looking over that report you’ll also notice that the relative percent of Loans (ex Trade Finance) and Trade Finance have remained relatively constant over the 25 quarters since statistics were first published for 31 December 2013.

The averages for that period are respectively 91% and 9%. No significant difference from the 31 December 2019 shares.

Over that period, total lending has grown from HKD 2.6 trillion to HKD 4.6 trillion.

To find out which type of banks resident in HK are providing the funds, we turn to T031302.

“Local Banks” include the HK offices and Mainland Branches of banks incorporated in HK.

“Mainland Subs” are HK incorporated banks’ subsidiaries in the PRC.

“Foreign Banks” are all other resident banks in HK. For example, the HK branches of PRC banks, of European banks, etc.

The 31 December 2019 percentage shares are fairly consistent with the average shares over the 25 quarters since December 2013: 43%, 41%, and 16% respectively.

What this suggests is that there is fairly wide appetite for PRC risk. It’s not just locally incorporated HK banks and the HK branches of PRC banks that are providing financing.

Who are the borrowers? Table T031303 provides the answer.

The "Non-Mainland Entities" include foreign firms who have borrowed for a project in the PRC.  So if Tesla USA was the borrower on a loan to build a plant in the PRC, it would be included here.

Again the 31 December 2019 percentage shares are close to the averages over the 25 quarters since December 2013: 42%, 23% and 34% respectively.

There’s a good mix of business here with some 60% of lending outside of the SOE sector.

Finally, T031304 provides data on other non-bank exposure to the Mainland.


Negotiable Debt Instruments are non loan debt obligations. Think bonds, etc.

NDI purchases take the funds provided to USD 694 billion or 4x the cross-border financing provided by HK resident banks to the PRC non-bank sector.

Off Balance Sheet Exposure includes issued but undrawn letters of credit and guarantees issued on behalf of customers, irrevocable commitments to lend.

From the foregoing, it’s clear that HK plays the dominant and critical role in providing financing for the PRC.