It might not seem as though the sad demise of Credit Suisse has much to teach surveillance professionals. But look harder and it exposes many of the issues that have become apparent over the past half decade.
The failure of Credit Suisse is peculiar because it has not involved the revelation of hidden losses or a ‘black hole’ in the bank’s accounts, but instead the erosion and finally collapse of its reputation in the eyes of its customers. Banking is above all about trust and customers finally voted with their deposits.
The big picture lesson is clear enough: regardless of ‘tone’ from the top – and it’s behaviour, not tone, that counts – the culture of the bank seems to have remained firmly rooted in traditional (and outdated) concepts of Swiss bank secrecy that prioritise wealth concealment, anonymity and tax avoidance.
That culture is reflected in those multiple fines for failures in financial crime prevention and repeated exposure in media leaks of controversial financial activity. But it’s also reflected in the aftermath of failure: looking at the firing of Chief Compliance Officer Lara Warner in the wake of Archegos, or at the revolving door that has spat out her replacement Rafael Lopez Lorenzo and Head of Regulatory Compliance Julian Gooding, it’s hard not to conclude that compliance was treated as a scapegoat for cultural and control failings that went much deeper.
Blame the system?
But those cultural failings then pose a bigger question. Given the volume and granularity of global financial regulation around conduct, culture and financial crime in the last 15 years, how did one of the world’s most important banks continue to generate so many problems that it ended like this?
If regulators understand that culture drives conduct (and they do), isn’t the failure of Credit Suisse also the failure of a regulatory model obsessed with hyper-granular risk assessments and documented audit trails explaining why actions were and were not taken in relation to individual transactions?
Take the bank’s annual report describing the US Securities and Exchange Commission’s queries around cash flow restatements going back to 2019 in relation to the netting treatment of some securities’ lending and borrowing activities.
The report says, ‘management did not design and maintain an effective risk assessment process to identify and analyse the risk of material misstatements in its financial statements’. In a separate statement, auditors PricewaterhouseCoopers said that ‘management did not design and maintain effective controls over the completeness and the classification and presentation of non-cash items in the consolidated statements of cash flows’.
This is what’s wrong with much of the risk and control process in banks at present. There is no risk assessment process that can identify every possible risk in a business to this level of detail and nor should there be. There should be no need for a bank to define every possible mistake one could make in preparing the annual report of a global bank and then develop a risk and control framework to monitor for those mistakes.
These are not the kinds of ‘risks’ that belong in a risk control self-assessment. These are questions of professional competence and, in this case, understanding accounting rules. You don’t need a risk assessment checklist for them, devised by another department and debated by a committee. You need qualified staff whose work is checked by senior internal and external staff upon whose expertise you rely in matters of technical detail. Non-financial risk functions should be concerned with the bigger picture and they should not be building that from the bottom up to that degree.
Credit Suisse said its management team was developing a remediation plan to address the weakness and would ‘implement robust controls to ensure that all non-cash items are classified appropriately within the consolidated statement of cash flows’.
This granularity is ridiculous. The financial reporting and audit departments of banks are the controls that should ensure that all non-cash items are classified appropriately. In this case, the external auditors picked up the issue, which is their job, and the error (which was technical and did not invalidate the annual report under Swiss law) was rectified. If there was any real failure, it was that the external auditors did not pick the error up quickly enough so that a last-minute SEC query could then delay publication.
A regulatory problem
This is an example of the regulator-driven obsession with more rules and risk assessments that is paralysing banks with bureaucracy that cannot work. It is replacing reliance on good hiring and management with dependence on spreadsheets whose granularity gives the illusion of control while in practice swamping control teams with data they cannot use effectively.
It is creating a culture in which, no matter what banks and regulators say, risk and control teams are taking day-to-day ownership of risk because the business assumes those infrastructures can be relied upon to flag concerns instead of keeping track themselves. In practice, those teams are struggling simply to achieve basic regulatory compliance, let alone significant risk mitigation. And they are spending more and more time, as one compliance chief said recently, ‘writing reports about why we did not file a suspicious activity report’. (Imagine the infinity of reports that could be.)
With Archegos, the basic failure was simple: profitability from the relationship was low (tens of millions of dollars at most over several years), yet the risk exposure was reportedly more than $20bn, or half the bank’s equity cushion against potential losses, and it only held a tenth of that against the position. It shouldn’t need an RCSA to spot that. And how far up the material risk list was a $5bn loss in prime brokerage anyway? Upheavals are always the result of large surprises that, by definition, are not flagged early by risk and control systems.
Time to change tack
More layers of rules and controls are not the answer. Better big picture business management is. As the huge third-party report commissioned by Credit Suisse on Archegos showed, the key causes were staff turnover and the replacement of experienced professionals with juniors.
Sure, there were also failures of reporting and data systems, but the head of a prime brokerage unit should know whether they are running a $5bn risk or a $20bn equity exposure and whether a few million dollars is sufficient compensation. And they should be more concerned with the health of the bank than with their own payslip. That way they wouldn’t shrug off the concerns of risk and control teams.
So why did Credit Suisse ultimately fall? Yes, the regulators are driving a compliance culture that is unintentionally undermining management responsibility at business unit level and below. Yes, the obsession with ever more detailed risk assessments is a distraction from real material risks. Yes, the drive to regulate and put a number on every single aspect of banks’ operational processes, as though they were foreign exchange positions, is daft and doomed to fail.
And yes, maybe Credit Suisse was unlucky. With 2m customers you get a few bad apples. But it was unlucky a lot. And it kept being unlucky in the same way.
When your customers – many of whom will have been with you for their whole lives – pull the plug, it’s your culture that has gone wrong.
Simon Brady is Editor of 1LoD, a specialist events and research company for risk and control practitioners in financial institutions.