Citibank’s $900 million flying-finger fiasco is a timely reminder that operational risk unrealized is operational risk that costs a whole lot.  As we detailed in our analysis of Basel’s new operational-risk construct, global regulators are still writing this rulebook, adding yet more of the mandatory policies, procedures, filings, and reports that keep risk managers and supervisors occupied even as operational risks take on still more importance in the pandemic.  What the financial system needs is not still more boxes to check – instead, it’s past time for a strategic understanding of operational risk’s impact not only on banking organizations, but also for the investment funds and other nonbanks even more exposed to it in the absence of regulatory buffers.

Operational risk comes from inadequate or failed internal processes, people, and systems as well as from legal and reputational risk along with that posed by external events (natural disasters, pandemics, geopolitical risk).  As I told Congress in 2005, these risks are damnably hard to quantify but hellish when visited upon a financial institution.

Reflecting this, the U.S. has struck an uneasy balance with operational risk, retaining the advanced measurement approach (AMA) now just for GSIBs and one custody bank that would otherwise escape this requirement.  Operational risk is also captured in CCAR, although no one knows how this was done beyond the fact that it was done, costing big banks more than they think appropriate and clearly quite a lot.  In its 2018 operational risk-based capital (ORBC) rewrite, Basel went a totally different direction, rejecting the AMA, restandardizing the framework into a new construct, and largely requiring capital based on operational risks gone by, not that to come.  That this two-faced approach is too wholly unsatisfactory is evident in the fact that, while the global ORBC rules are retrospective, the proposed new operational risk-management standards are not.  We thus end up with global banks buffered against past risks which presumably now are well mitigated even as banks are capital-naked to new, unrecognized operational ravage.

But, at least banks have operational risk capital.  Even though ill-quantified and often mysterious in construct, these rules do force recognition of operational-risk mitigation.  As a result, a positive incentive – blunt, but meaningful – encourages banks to hold capital above and beyond that for credit, liquidity, and market risk.  Business-continuity requirements and resolution planning also provide a meaningful bulwark against operational risk, bulwarks that, along with insurance, can and should be better recognized in capital regulation and thus more effectively encouraged.

None of these operational-risk capital or mitigation rules applies outside the banking system, but operational risk has no respect for legal niceties.  Credit and liquidity risk may well be specific to banks focused on financial intermediation, but systems failures, legal risk, and external mind-benders strike mercilessly across the financial industry.

We have seen over and over again that regulatory asymmetry leads to regulatory arbitrage.  The lack of like-kind capital and liquidity rules brought forth the nonbank financial-intermediation sector getting renewed attention in the pandemic’s wake despite the enormous role these nonbanks played in the 2008 financial crisis .  Now, operational risk is even more important – the imbalance between banks, especially custody banks, and nonbanks means that nonbank asset managers have strong incentives to mimic fee-based activities which, at banks, cost buckets in terms of operational capital and mitigation requirements.

This might just be a competitive problem for banks versus Blackrock and other investment-fund behemoths were it not for the fact that regulatory arbitrage also spawns systemic risk.  As we have seen, key fund sectors were close to the systemic edge last March and many would have gone over if not for the Fed’s market intervention.  Some of this is simple liquidity risk, risks not fully addressed by the SEC’s 2014 response to Fed demands after the last go-round.  But operational risk is at its core because the pandemic was the problem.  This risk manifested itself in the runs that jeopardized both the sector and the system, but a liquidity-risk only construct would not have been enough to catch it because liquidity-stress scenarios are not operationally inclined.

Now, all the funds flowing into banks seeking a safe haven will soon cost banks still more in terms of operational-risk capital, essentially forcing banks to pay once for their resilience in terms of all the pre-COVID operational, capital, liquidity, and stress-test rules and once again as all the new assets resulting from new deposits factor into the next version of all these calculations.  Does this make sense?  Not to me.