Front-to-back trading controls: key areas of scrutiny across the banking industry

Recent regulatory developments and trading incidents mean that banks’ trading risk management practices and controls are under intense scrutiny. Whilst prime brokerage activities and relationships with family offices have been the focus of media attention, regulators had expressed concerns on broader trading controls long before these recent incidents materialised. Further, from an internal perspective, senior executives and board members have challenged management on the standards applied within their respective business lines, control functions and legal entities.

Compliance with evolving regulatory expectations is undoubtedly a driver, however firms are also seeking to ensure that those on the front line are equipped to efficiently and effectively manage the risks associated with their business activities.

The events of early 2021 have only heightened this scrutiny with implications across the front-to-back trade lifecycle. Over several years banks have built key risk management and control mechanisms to meet discrete regulatory requirements or bilateral feedback received. In addition, many banks continue to operate with an overarching reliance on manual checks and post-tradere conciliations. This has led to elements of fragmentation, inefficiency and complexity, which means the time is now right for banks to revisit their approaches in recognition of the enhancements required.

We outline below five key areas of the trading control framework that are under the spotlight across the industry:

1. Supervisory framework

Following recent self-assessment exercises, banks have recognised the need to consolidate, streamline and enhance front office (FO) supervisory oversight and controls, with the objective of increasing efficiency and enabling proactive risk-based supervision. In some cases, significant enhancements are being driven by the business rather than control functions responding to regulatory demands. Whilst certain banks are targeting improvements in discrete areas, others are reviewing the framework in its entirety, considering roles and responsibilities, system capabilities, processes, controls and management information.

Senior management should be addressing the following key considerations:

• Have the roles, responsibilities and expectations for supervisors, in-business risk and controls functions and other support functions been clearly articulated?
  
• Are there appropriately documented core supervisory procedures and controls, with lineage to regulatory and internal policy requirements?
• Are supervisory controls consistently designed and executed across products?
• Does current technology support or inhibit the efficient and effective performance of supervisory responsibilities?
• Does management information enable supervisors to identify and manage risk across indicators?

2. Preventative controls

Banks’ current reliance on manual and detective controls continues to be a cause for concern amongst regulators, particularly where banks operate complex, fragmented or aging infrastructure. Recent high-profile events have highlighted the potential consequences of not upgrading control processes and establishing automated and systematic mechanisms. Whilst such incidents may occur relatively infrequently, the financial, regulatory and reputational consequences are significant, therefore banks should evaluate where enhancements are required and implement them accordingly.

Senior management should be addressing the following key considerations:

• Which areas of the framework should be targeted for establishing systematic, preventative controls?
  
• Have permissible activities and transactions been digitised in alignment with regulatory requirements and internal policies? Is there a standardised view across the 1LOD and 2LOD?
• Should preventative mechanisms block transactions, propose a re-evaluation of the transaction or require senior approvals?
• What technology capabilities are required to establish consistent, sustainable and cost-effective solutions?
• Should controls be applied at the business, desk or individual level?
• What mechanisms are required to ensure preventative controls remain effective?

3. Client selection and monitoring

The events of 2021 have intensified the scrutiny on client selection and monitoring practices, particularly with respect to hedge funds and family offices. Whilst the Archegos incident has dominated the headlines, other lower profile incidents have occurred over recent years with similarities to this scenario. Banks across the industry are now undertaking internal assessments to verify that appropriate risk management and control frameworks are in place.

As a result, senior management should be addressing the following key considerations:

• Do onboarding processes effectively identify areas of concern, escalate these to appropriate senior management and capture them for ongoing monitoring throughout the client relationship?
  
• How are evolving client activities and risk profiles monitored and challenged on an ongoing basis?
• Are collateral, margin and risk factor measurements operating effectively?
• Are early warning indicators across the front-to-back control framework appropriately highlighting emerging areas of risk?

4. Middle office and operations

The regulatory focus on trading controls has not been restricted to the front office, with increasing scrutiny of the control processes executed by middle office and operations, particularly where these are highly manual or there are varying levels of maturity across fragmented infrastructure. The largest firms have also been pushed to reconsider how they aggregate, measure, monitor and report risk across products, geographies and legal entities, with specific attention given to those processes performed offshore.

Senior management should be addressing the following key considerations:

• Is there a consistent and complete inventory of controls with consolidated views across products and geographies?
• Is there a robust approach to assessing and monitoring the effectiveness of these controls on a regular basis, with remedial actions to be addressed?
• Has technology been fully utilised to segregate duties, restrict access, ensure completeness and validity of trading activity, evidence control execution and automate escalation paths for exception management?
• Does data quality restrict the ability to monitor key risk indicators across product, region and legal entity dimensions on a daily basis?
• Has management information been aggregated, rationalised and tailored for senior management, to enable them to effectively identify and mitigate risks in a timely manner across their areas of responsibility?

5. Legal entity enabled risk management and oversight

Several firms continue to operate highly integrated booking models, with activities often originated and risk managed in a different location to the booking entity. Demonstrating that effective legal entity oriented governance, risk management and control mechanisms are in place remains a considerable challenge, particularly when the requirements of local accountability regimes are taken into account. With new expectations set to be published by the PRA on this topic, within their upcoming supervisory statement on international banks, together with continued scrutiny across the US, Europe and APAC, this is likely to remain a focus area for the foreseeable future.

Consequently, senior management should be addressing the following key considerations:

• Is the booking model transparent and understood by senior management? Do key business and legal entity stakeholders understand risk profiles across legal entities?
  
• Are local risk management and governance arrangements commensurate to the risks held by each legal entity?
• Is the legal entity dimension explicit in core risk analytics and financial reporting, and how is this consumed by senior management, legal entity executives and governance forums? Does this enable them to effectively execute their oversight responsibilities?
• Are controls appropriately calibrated to legal entity specific licences, permissions and risk appetite?
• What additional mechanisms are required to manage the risks associated with remotely booked business, across the front-to-back trade lifecycle?
• Are intra-group relationships transparent and understood? What additional risks result from these arrangements and how should these be mitigated?

Given recent headlines, and irrespective of a bank’s relative size and complexity, a step-change will be required across the industry in the periods ahead. Our experience in supporting global banks on enhancing their trading risk management and controls, together with our direct engagement with regulators on the above topics, means we quickly identify ways in which our clients can enhance their approach.

To find out how we can support you in establishing your enhanced trading controls framework, please get in touch.