OP1
LeahD
ExamplesofOperationalRisk.docx
Find and briefly describe four public
examples of OpRisk which have occurred
over the last three (3) years. Refer to the
Basel definition to justify why the identified
example is an Operational Risk event.
As part of the revised Basel framework,1 the Basel Committee on Banking Supervision set forth the following definition: Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.
Examples of Operational Risk
Santander UK sends wrong payments totaling $175 million
On Christmas Day 2021 the Santander UK bank paid about 75,000 people mistaken payments. Clients that received these payments did not only include customers of the bank but also of rival banks. What occurred during this event was that the bank duplicated about 2,000 payments that have been originally been processed by commercial and corporate customers to third parties. Santander produced a statement that the funds for the duplicate payments were not withdrawn from the originators accounts and as a result caused an overdraft.
This can be considered an example of operational risk because it deals with a loss resulting from a failed internal system, process, or people. In the case of Santander UK Bank they had an issue with their internal system that led their computers to double post these payments and as a result lost millions of dollars that they are trying to recuperate currently.
https://www.nytimes.com/2022/01/01/business/santander-bank-extra-payments.html
Colonial Pipeline ransomware attack
On May 7th 2021 the Colonial Pipeline control room received a ransom note requiring them to pay in cryptocurrency before 5AM. Even though the company didn’t know it, the ransomware attack had actually begun on April 29th when hackers had gained access to a virtual private network account, which was no longer in use, and therefore accessed the company’s computer network. As a result of this attack, Colonial Pipeline had to shut down service until May 12th. The attack on the company led to fuel shortages all along the East Coast and increased fuel prices for consumers.
This risk event is an example of operational risk because due to outdated system security and the company not assessing the possible risks with the VPNs hackers were able to go into the network and view all their vulnerabilities. They were able to control the whole company and cause damages that impacted thousands of customers.
UBS
UBS was fined £27.6 million for MiFID I transaction reporting errors due to technology change management, quality assurance, and testing effectiveness of reporting failures. The UK’s Financial Conduct Authority (FCA) fined UBS for over- and under-reporting transactions, mistakes in reports, as well as systems and control failures related to 135.8 million transaction reports over a 10-year period. UBS failed to maintain effective market oversight, which relies on the complete, accurate, and timely reporting of transactions. UBS’s reporting errors could be traced back to 2007 when it first went live with its MiFID I transaction reporting system. The change management process was incomprehensive, inadequately articulated, and inappropriately resourced. There was a lack of policies and procedures defining the processes for identifying, managing, challenging, approving, and monitoring the system change.
The FCA pointed to 3 main root causes that led to the reporting errors: errors in UBS’s systems, IT logic, and reporting processes, weaknesses in change management controls, and weaknesses in controls around the maintenance of static data. UBS’s erroneous reporting is an example of operational risk incurred by inadequate internal processes and systems from flawed change management processes, inaccurate reference data used for reporting, and failure to ensure that all transactions reported were accurate and complete. UBS exhibited signs of inadequate risk management environment, information and technology, and role of disclosure. Appropriate reporting mechanisms should be in place at the senior management and business unit levels to support proactive management of operational risks to ensure that reports are comprehensive, accurate, and consistent.
https://www.jdsupra.com/legalnews/weekly-news-summary-ubs-s-record-mifid-38797/
HSBC
HSBC uses automated processes to monitor hundreds of millions of transactions a month to identify possible financial crimes. Although automated processes are less prone to error than manual processes, automated processes introduce risks that must be managed through sound technology governance and infrastructure risk management programmes. The FCA identified 3 main areas of the bank’s transaction monitoring systems that showed signs of weakness. Firstly, the bank did not ensure that the scenarios used to identify indicators of money laundering or terrorist activities were appropriate and covered the relevant risks. Second, no appropriate tests were conducted and no updates on the parameters were established within the systems to determine whether a transaction showed signs of potentially suspicious activities. In addition, HSBC failed to check the accuracy and completeness of the data being fed into and contained within monitoring systems.
As such, the FCA fined HSBC £64m because its automated systems for detecting suspicious transactions were weak. HSBC’s ineffective transaction monitoring system is an example of inadequate internal processes and systems. Validation is a critical component of an effective ORMF and HSBC failed to ensure that the quantification systems used were sufficiently robust to provide assurance of the integrity of inputs, assumptions, methodologies, processes, and outputs. A sound internal control programme consists of four components: risk assessment, control activities, information and communication, and monitoring activities. In this case, HSBC’s internal control has been ineffective for a prolonged period of time and these system failures only heightened the risk of money laundering and organized crimes, a serious and growing problem for banks.
