Regulation & supervision: From old fault lines to emerging concerns

ABU DHABI: Governor of the Central Bank of Kuwait Dr Mohammad Y Al-Hashel addresses the 14th High Level Meeting for the Middle East & North Africa Region, jointly organized by the Basel Committee on Banking Supervision, the Financial Stability Institute and the Arab Monetary Fund yesterday

Keynote speech delivered by Governor of the Central Bank of Kuwait Dr Mohammad Y Al-Hashel

ABU DHABI: Following is a keynote speech delivered by Dr Mohammad Y Al-Hashel, Governor, Central Bank of Kuwait at the 14th High Level Meeting for the Middle East & North Africa Region, jointly organized by the Basel Committee on Banking Supervision, the Financial Stability Institute and the Arab Monetary Fund yesterday in Abu Dhabi.

I am delighted to return to this forum for the third time in a row, and I am grateful to HE Dr Abdulrahman A Al-Hamidy for inviting me to speak before this august gathering. Taking this opportunity today, I would like to touch upon two areas. First, where the years of regulatory reforms have left us in terms of addressing the fault lines that global financial crisis (GFC) laid bare, and second, what are the emerging regulatory & supervisory concerns going forward.

Fixing the old fault lines
Let me start with the first question: where the years of regulatory reforms have left us? It is well over a decade since the GFC took the financial world by storm. Around ten years back, in 2009, the world was reeling from a financial crisis that was unique in both its origin and scale. Epicenter of the crisis was advanced countries and the US in particular. And in terms of scale, as research by BIS has highlighted, cumulative output loss since the GFC has been a hefty 25% of the world’s GDP, excluding the enormous social costs associated with high unemployment and lost output.

Rising to the occasion, global leaders moved quickly to address the threats to global financial system – a feat that appears particularly impressive in current times of trade spats and growing nationalism. GFC also led to a fundamental shift in our approach to banking regulation and supervision, essentially by exposing the fault lines in the inadequacy of earlier regulatory architecture.

By now, those fault lines are well-understood. Banks held too little capital and of poor quality. Inadequacy of capital was further weakened by the absence of a backstop measure to contain excessive leverage. Banks that were too big to fail enjoyed the market power but were not required to internalize the cost of risks they brought to the overall system. Suitable measures of liquidity, in both funding and market sense, were lacking. And the efforts to contain systemic risk, both in its time and structural dimension, were hardly in sight. In a nutshell, the rule book was evidently deficient.

And if that was not enough, banking supervision was micro prudential in nature. Supervisors believed that ensuring stability of individual institutions would make the system as a whole stable, thus largely ignoring the buildup of systemic risk.

The GFC brought into sharp focus the gaps in our regulatory regime. As Paul Romer, a Stanford Economist, once said, ‘A crisis is a terrible thing to waste’. Thankfully, lessons from the GFC were not wasted. Central banks and financial regulators made great strides in building a more stable and resilient financial system. The regulatory reforms by the BCBS under Basel III regime not only refined the existing rules but also introduced wide-ranging measures which were earlier missing or inadequate.

Thanks to these efforts, the old fault lines have been largely fixed. Capital adequacy regime has been enhanced, with higher and better quality capital. Additional capital conservation buffer and countercyclical capital buffer requirements have also been put in place to help banks maintain additional cushion and limit the buildup of systemic risk. Likewise, leverage ratio has been phased in as a backstop to CAR.

On the liquidity front, Liquidity Coverage Ratio and Net Stable Funding Ratio have further strengthened banks’ capacity to withstand liquidity stress and to make their funding structure more stable. To address structural dimension of systemic risk, capital charge for SIFIs has been added, recovery and resolution regimes have been strengthened and safety nets have been improved. Of course, this list is not exhaustive.

While the world has not seen a crisis similar to GFC to determine if these reforms have made the financial system resilient enough, there is sufficient evidence to suggest that our banks are considerably more stable than a decade ago. Even the impact of oil price shock of 2014 on GCC banks have been muted at most, though degree of resilience certainly varies from one country to another. Still, there is broader agreement that our banks entered the low oil price environment from a position of strength which was built through prudent regulatory reforms.

Now, as the rule book is mostly in place, it is time for supervision to step up. After all, regulation can only go that far; without effective supervision, it is hard to ensure timely and consistent implementation and achieve financial stability at large.

The role of effective supervision is also critical because not every risk can be pre-defined in a rulebook. While overseeing the dynamic world of finance, supervisors must be agile enough to suitably correct course in line with the constantly changing nature of the banking industry or the emergence of new risks. In the second part of my speech, I would like to touch upon two such emerging concerns; cyber threats and climate change.

Addressing Emerging Concerns
Ensuring resilience against cyber threats
First, consider the issue of cyber threats. Growing footprint of technology is influencing every facet of the banking business, transforming banks’ internal processes as well as their engagements with customers. As the role of technology deepens from a mere support function to a platform central to everything that banks do, the likelihood of new risks emanating from ubiquitous and connected technologies loom large. Materialization of such risks will not only disrupt vital financial services but will also undermine the security and confidence in the financial system.

In fact, the scale and sophistication of cyber-attacks is already on the rise. Examples include data breach at Target of 70 million credit card users, a cyber-attack on Equifax compromising data of 143 million customers, and the hacking of over 100 million customers’ data at Capital One Bank.

No wonder, cyber risk features as a key concern in different industry surveys. For instance, respondents to the Bank of England’s Systemic Risk Survey of 2H-2018 quoted the risk of a ‘cyber attack’ as the second major threat to the system, only behind the Brexit induced political risk.

The growing threats of cyber risk need to be reflected in banks’ operational risk capital charge. Incidentally, the Basel Committee has revised its operational risk methodology by replacing the existing three techniques with a simplified Standardized Measurement Approach and expects that its implantation, due by January 2022, will increase capital risk charge for operational risk by 18 percent for a group of banks currently using Standardized Approach of the old regime. While it is not clear how much of the increase in operational risk charge is driven by the recognition of growing cyber threats, greater capital allocation for operation risk is a step in the right direction, given the increasing significance of such low probability but high impact risks.

However, reliance on capital alone will not suffice. Supervisors must ensure that banks improve their operational resilience by strengthening their ability to respond to and recover from cyber-attacks. At a minimum, mitigating cyber threats would require effective collaboration between regulators and the industry, adequate contingency and recovery plans by banks and sound security practices by all participants of financial market infrastructure. In Kuwait, we are in the process of putting in place an advanced platform for effective information sharing about cyber threats that can later be used at the regional level.

Supervisors in this regard can leverage CPMI-IOSCO guidance that calls for ‘resilience by design’, encouraging to incorporate sound security features in the system right from its earliest stage of conceptualization. This approach will help address the potential cyber compromises that could stem from banks’ dependence on legacy technologies.

To help strengthen cyber resilience of financial institutions, Financial Stability Board (FSB) is currently working on ‘identifying practices to help financial institutions recover from and respond to cyber incidents’. Next year, they are planning to release a toolkit of effective practices that banking industry can use in improving operational resilience against cyber threats.

Coping with climate change
The second emerging issue warranting our close attention is climate change. According to UN estimates, around 60 million people were affected by extreme weather events in 2018 alone. And within this year, we have witnessed the damaging impact of wildfire in California, hurricane in Bahamas, cyclone in Bangladesh and typhoon in Japan.

Thankfully, the issue of climate change, after languishing on margins for years, has finally caught policy makers’ attention. As Victor Hugo once said, ‘nothing is as powerful as an idea whose time has come’. It seems that time has finally come for the climate change to receive the attention it deserves.

Climate risks stem both from climate shocks like floods, hurricanes and other severe weather events as well as from trends such as warming temperatures, melting glaciers and rising sea levels. Broadly speaking, these weather developments pose two types of risks to the financial sector; physical and transition. Increasing severity and frequency of extreme weather events could pose serious physical risks by damaging the assets that constitute banks’ exposures. Additionally, natural disasters can damage public infrastructure and destroy livelihood, hurting economic activity in general.

On the other hand, transition risk stems from the economic impact of a shift to a low-carbon economy. Factors like development of environment-friendly technologies, changing public sentiments, and new laws to govern carbon emission can cause a shift in economic activity towards greener projects. As a result, the value of carbon-intensive assets might drop as investors’ risk perception and preferences change. Sectors like oil, gas, coal and utilities are particularly vulnerable in the long run as transition risk might devalue their assets and displace their workforce.

International Energy Agency (IEA) estimates that achieving Paris Agreement target on climate change would require, by 2050, about 80 percent decrease in the CO2 intensity of the building sector, 95 percent of world energy supply to be of low carbon and 70 percent of new cars to be electric. This will cause significant, even if slower, shift in the structure of our economies with strong bearing on the financial sector.

That is why the NGFS, the Central Banks and Supervisors Network for Greening the Financial System, has argued that ‘climate related risks are a source of financial risk and therefore fall squarely within the mandate of central banks and supervisors to ensure that financial system is resilient to these risks’.

Regulators need to determine how best to incorporate and operationalize climate related risks in their prudential policy settings. It would require expanding the risk matrix to formally include climate related risks and enhancing the analytical tools to assess financial sector exposures to extreme weather events. Bank of England has announced that in 2021, it will start stress-testing banks on different climate pathways. Ultimately, the key is to retool the regulatory regime to factor in risks to climate change in a holistic fashion, instead of adding on an additional item in the risk matrix.

Let me conclude. While we have managed to fix the fault lines exposed by the GFC, our understanding and ability to respond to some of the emerging risks remains limited. This is true for both cyber threats and climate change. A feature common to these risks is their wider impact through multiple entry points. Hence, the key to address both lies in sharing information and strengthening cooperation. If we are grappling with risks that transcend sectoral and national boundaries, so should our response.