On July 27th, the Fed, FDIC, and the OCC released their long-awaited proposal to implement the final components of the Basel III agreement, also known as the Basel III endgame. Separately, the Fed also proposed adjustments to the calculation of the capital surcharge for global systemically important banks (G-SIBs). The agencies estimate varied impact across the categories of the Fed’s tailoring framework, with an aggregate increase in RWA by 24% for Category I and II banks and 9% for Category III and IV banks. The proposals include adjustments to the following areas:
Comments on both proposals are due by November 30, 2023. As proposed, implementation of Basel III endgame would take effect July 1, 2025 with a three year phase in until June 30, 2028.
Our Take
The proposal would raise capital requirements beyond what was anticipated and implemented globally.
The proposal significantly reduces variance between categories in the regulatory tailoring framework.
Compliance will be more complicated than just meeting new regulatory capital minimums.
What happens now?
Figure 1: Risk based capital stacks
Source: PwC Analysis
* Existing standardized approach except derivatives that must use SA-CCR
** SCB will be same across both the stacks and will based off of the constraining approach as of the jump off point for stress testing
*** Expanded Risk Based RWA (stack 2) would be floored at 72.5% of RWA calculated across risk stripes using the same expanded risk based approach but using only standardized measures of the proposed market risk framework
**** For simplicity “adjusted allowance for credit losses not included in tier 2 capital” and “allocated transfer risk reserves” are not included
On Wednesday, the Securities and Exchange Commission adopted final rules and amendments requiring public company registrants to disclose material cybersecurity incidents and to make certain disclosures regarding their cybersecurity risk management, strategy and governance on an annual basis. Specifically, the final rule requires:
There were a number of key changes from the March 2022 proposed amendments including:
The material incident disclosure requirements would be effective on or after December 18, 2023 (smaller reporting companies have a 180-day deferral). Disclosures for risk management, strategy and governance would be effective for all registrants for fiscal years ending on or after December 15, 2023.
Our Take
This rule will pose numerous challenges for publicly traded US companies, which must soon make new disclosures pertaining to material incidents, cyber risk management, strategy and governance. Most large financial institutions are already facing growing cybersecurity risk management expectations from regulators, including the Fed and OCC, but having to publicly describe their programs in greater detail may spur them to further shore up their defenses. This new disclosure regime will expose companies’ cybersecurity programs to comparison with their peers and scrutiny from investors. Accordingly, financial institutions will need to not only consider standards from their primary regulators, but where their policies, procedures, risk assessments, and controls stand against industry leading practices. They will also need to develop or update policies and procedures for determining materiality of cybersecurity incidents and the details they should disclose with coordination across security, finance, risk and legal teams as well as, when needed, key business leaders. In particular, they will need to be prepared to make timely determinations of whether certain disclosures could exacerbate security risks or publicize vulnerabilities.
In addition, as they prepare to describe their oversight role in annual disclosures, financial institution boards should take note that regulators and investors expect them to take an increasingly active oversight role when it comes to cybersecurity matters. Although they will no longer be required to disclose specific names, firms should still consider either having a board member with cybersecurity expertise or having consistent access to independent subject matter experts for educational sessions or consultations. They should also make sure they are kept abreast of the information to be disclosed, assess the content and frequency of information they receive on cybersecurity risks, and make sure members are able to effectively challenge management’s identification and management of such risks.
For more information on preparing, see our analysis of the SEC’s new cyber disclosure rule.
Also on July 26th, the SEC proposed new requirements for broker-dealers and investment advisers (collectively referred to as firms) to address conflicts of interest associated with predictive data analytics. Chair Gary Gensler has previously spoken on the proliferation of predictive data analytics and expressed concerns that such technologies to recommend investments can result in conflicts of interest, bias, and breaches of investment adviser requirements like fiduciary duty, best execution, and best interest.
The proposal would require firms to evaluate their use of covered technologies, defined as “analytical, technological, or computational functions, algorithms, models, correlation matrices, or similar methods or processes that optimize for, predict, guide, forecast, or direct investment-related behaviors or outcomes of an investor.” They would need to determine whether there are any conflicts of interest placing the firm’s interests ahead of those of investors and if any exist, to eliminate or neutralize them. They would also be required to have written policies and procedures and keep books and records related to these requirements.
Separately, the SEC proposed updates to its rule requiring investment advisers that provide advisory services through the internet to register with the SEC to remove the de minimis exception allowing investment advisers to have a limited number of non-internet clients. Internet advisers would need to provide services to all clients exclusively through an operational interactive website.
Both proposals will be open for comment for 60 days after they are published in the Federal Register.
Our Take
While Chair Gensler has had predictive data analytics in his sights for much of his tenure as SEC Chair, this proposal also reflects growing concerns across regulators and lawmakers around potential harm resulting from the use of automated technologies, including artificial intelligence (AI). All SEC-supervised firms will need to understand whether their investment platforms use any tools that fall under the broad definition of “covered technologies” and demonstrate thorough analysis of potential conflicts of interest. To do so, they should closely review the output of those technologies for determinations that benefit the firms’ interests or have disparities across investor demographics and classes. Boards and senior managers should seek detailed explanations of the data and logic underlying such systems and scrutinize controls in place to prevent conflicts of interest. Even if a firm’s assessment of its data analytics technologies finds that there are no potential conflicts of interest or that they are effectively managed, SEC examiners will expect to see detailed documentation of how the firm came to that determination.
On July 12, the International Swaps and Derivatives Association (ISDA) published a new Conceptual Framework for climate scenario analysis in the trading book based upon commissioned research with more than 30 ISDA member banks. ISDA notes that climate scenario efforts so far have primarily focused on long-term impacts on the banking book and that different considerations are needed to assess shorter-term effects of climate risk on the trading book. ISDA plans to pilot this conceptual framework during the second half of 2023 to test its usefulness as well as to generate some estimates of potential climate risk impacts on a set of hypothetical portfolios.
The framework focuses primarily on scenario design and implementation while breaking it down into five key stages:
Our Take
This ISDA framework demonstrates growing attention on shorter-term effects of climate risk on the trading book, where many banks have less mature capabilities after having been focused mainly on their banking books. In order to expand their climate scenario analysis to the trading book, banks will need to conduct new assessments of scenarios impacting all asset classes (i.e., equities, fixed income, derivatives), identify internal and external available data sources, analyze existing stress testing methodologies to be augmented and align on newly defined metrics. With derivative instruments, there could be challenges discerning probable climate drivers or pathways, as well as mapping or selecting parameters, that lead to measurable economic impacts given the current development stage of climate scenario analysis. Although institutions may be comfortable with their existing risk framework and climate considerations (e.g., carbon or commodity pricing), additional impacts and pathways should account for a broader spectrum of risks, particularly physical climate risks (e.g., event severity, frequency, duration) and their application to FX or rates strategies. Given the nuances involved, it is paramount that first and second lines of defense (e.g., climate officers, risk, trading desks) share their expertise to address product impacts, data requirements, and overall approach to close gaps and address potential challenges that could arise within the layers of their current framework. The key difference in governance and accountability between the banking book and trading book is with the frequent coordination that must occur across the business (i.e., trading desks), financial risk, model risk management, and data and technology.
While much work is still to be done, the latest framework is a step forward in understanding and managing the impact of climate-related events on traded assets. Although expectations for US banks are not yet as rigorous for climate-related financial risk, the continued release of additional reviews and guidance are signaling that more regulatory scrutiny is likely on the horizon.
These notable developments hit our radar this week:
All proposed rules have a 60-day comment period after publication in the Federal Register.