Protecting databases from the law

The advanced measurement approach (AMA) of Basel II requires that banks gather data on their loss events in order to calculate probabilities of future losses for the purposes of allocating appropriate capital to cover such events. However, losses have always been a sensitive subject, with no bank wanting to publicise or make freely available information on where it has suffered fraud, rogue trading, systems failure or suchlike. So while the gathering of data on untoward events into a single database might make sense in terms of analysis and forecast of a bank’s operational risks, it appears to create an all too accessible source of potentially compromising information for those taking legal action against a bank. And some people in the industry fear that industry consortia databases, where banks pool loss-event data, could also be vulnerable. While there is an industry consensus that loss-event databases are a good tool to help reduce operational risk, there is little agreement about the legal risks surrounding the databases, or how best to resolve them.

"In general in the US, an adverse party has the right to discover all relevant data to a lawsuit," says Jonathan Rosenoer, global head of operational resilience and risk solutions for the financial services sector at global technology and services company IBM. "The US has extensive discovery proceedings where you are allowed to go out and get as much information as you can. So how vulnerable loss-event data might be, kept internally or externally, depends on what type of lawsuit is being brought, what the claim is and what the relevance of the data is to that claim."

Michael Bleier, general counsel at Pittsburgh-based financial services firm Mellon Financial, does not think there is any ambiguity surrounding the question in the US. "Loss databases can be subpoenaed – it’s very straightforward," he says. This applies to internal or external pooled databases, he says.

Others can’t see what the problem is. "The [loss-event] data exists in an institution – we are not making it up – so I don’t think it increases the [possibility of] discovery at all," says Robin Phillips, vice-president, corporate operational risk at JPMorgan Chase and vice chair of Operational Riskdata eXchange (ORX) loss-event database set up by a consortium of global banks and headquartered in Switzerland. He acknowledges that some people have concerns that because loss databases gather together data neatly in one place they make the discovery process easier for a potential plaintiff – "but since the data already exists we are not increasing our exposure," he says.

But Pam West, head of operational risk for Bank of America, highlights the issue of setting up a reserve, when a bank knows that it will have to make a payout at some stage in the future to cover an event, and how it describes the event when putting it into a loss-event database compared with simply describing it for accounting reasons. West gives the example of the bank setting aside $100 million to cover potential payouts in the wake of the mutual fund affair in the US. "The mutual fund one wasn’t difficult [to describe] because it was in the media every day, but there are other things which are not in the media for which you need to set up a reserve – how much information do you write around that event when it could be subpoenaed and hauled into court?" she asks.

The problem is ensuring that there is enough detail for the operational risk department to be able to categorise the event for the loss database – which might be more than the bank wants to give away should the information be subpoenaed. West’s preferred solution is for the bank to educate the legal department in the Basel loss-event categories so that they can allocate the events to the database, thereby circumventing the need for extended descriptions. "What we are trying to do is get the events in the right categories in the database," she says.

Rosenoer also raises the issue that, because banks are compiling loss-event data for the first time, a loss-event database might show that a bank has a different risk profile form the one that was generally thought. Furthermore, "[a loss-event database] could also give hostile external people the ability to find supporting data that the bank had material problems that were supposed to have been disclosed to the public but weren’t," he says.

While there are many different views on the legal risks surrounding internal loss databases, the position of external databases is no less controversial. Rosenoer says: "Without any protection on the data [in an external database] there is a fear or a risk that certain third parties, such as a litigant, can subpoena all data coming from any particular institution that is relevant to a lawsuit." Bleier says: "When you turn the data over to a third party they can be subpoenaed by the plaintiffs and all the data you’ve provided to them is discoverable."

Phillips believes the fear is ungrounded with a consortium database like ORX because the data is rendered anonymous as it is input. This also prevents the accidental disclosure of information. "Nobody wants to see a list of losses from their firm published in the Wall Street Journal or the Financial Times," he says. "With ORX, there is a high premium placed on confidentiality, and that is fully protected in the way that data is transmitted and handled, so that it is impossible to decode any of the records to see what the losses are for a particular bank."

But he acknowledges that ORX was set up in Switzerland, with its strong banking secrecy laws, to help alleviate European banks’ concerns about the potential for the data to be subpoenaed by US courts.

Meanwhile, David Dooks, director of statistics at the British Bankers’ Association, which operates the Gold Consortium loss-event database, says that none of Gold’s contributing banking groups, which now number 35 (mostly European, but including some Australian, US and Canadian banks), has so far expressed concerns about the legal risks of information in the database. This is because the data is high level and rendered anonymous, so that it is not traceable back to individual banks, he says.

But Rosenoer says that a number of banks are worried that a plaintiff could subpoena industry information from a consortium loss database to show that practices or losses by an individual institution didn’t meet certain industry standards. "And there are fears, for example, that data on the settlement of lawsuits with employees over employee claims could be aggregated by plaintiff attorneys so they could figure out that banks were settling suits at a certain level and use that information to raise the bar on what they were looking to settle for."

So what can be done to protect the data in loss-event databases from legal risk? With respect to internal databases, not a lot appears to be the consensus. The UK’s financial services regulator, Financial Services Authority (FSA), says it is not in a position to offer bank databases protection from the law. It is not a requirement of the FSA that banks hold loss-event data, but they need to do so to help them determine their potential losses more accurately, says an FSA spokesman.

With external databases, some argue that protection is unnecessary because of the anonymity of the data, while others are supporting an industry initiative to bring a bill before the US Congress that will give external loss databases "safe harbour" protection similar to the protection afforded shared databases for anti-money laundering under the US Patriot Act.

The proposed bill, called Operational Risk Evaluation Incentives Act, is designed to create a safe harbour provision "to protect financial institutions from liability in instances when they are merely sharing information with each other to improve their operational risk performance," said Bill Guttman, professor of economics at Carnegie Mellon University in Pittsburgh, Pennsylvania. The bill would not protect firms’ internal op risk loss databases, however. Guttman is helping to coordinate support for the draft bill in part because the university is working on its own database initiative. The bill is in the process of collecting support from financial institutions—several have submitted letters of support to their Congressmen and senators, and more are on the way, says Guttman. He says also that he is having several conversations with individuals from both houses of Congress to try and gather support for the introduction of the bill for debate.

West thinks the proposed bill is a good idea. "The more we have that kind of approach [of clearing up the legal uncertainties around loss-event databases] the better databases we will all have, and the better modelling and forecasting tools we will all have," she says.

Phillips agrees. "If institutions share operational risk information it is better for the industry – it helps us all improve our risk management processes and best practices. In so far as safe-harbour legislation assists in the process [of sharing data] that’s fine, but it is not a prerequisite."

Bleier, however, remains unconvinced. "I would have concerns about whether the data [in a safe harbour] would truly be protected from a subpoena and litigation." Bleier believes that the only possible solution is a government database, operated by a banking regulator, where the identity of the contributors is protected under law.

Then there is also the data privacy issue and how loss-event databases might run foul of data protection legislation. Fewer people see this as a potential problem. The US Financial Modernization Act of 1999 (also known as the Gramm-Leach-Bliley Act) and the European Data Directive and similar legislation aim to protect individuals from identification via commercial or other databases. "But loss-event data does not necessarily contain any personally identifiable data, so privacy issues should not be implicated, and particularly not in the case of aggregate data that would be shared among institutions," says Rosenoer. The exception is anti-money laundering data, where details on individuals are held, but there is safe harbour legislation under the Patriot Act that protects this information, he says. Others like Bleier and Foote are not so sure there are no privacy issues, but say there is little clarity around the subject at the moment.

So are loss-event databases worth the risk? Craig Spielmann, who looks after JPMorgan Chase’s Horizon operational risk management application, suggests it is a version of the old chicken and egg conundrum. "If you are better at managing your risk by using these [loss-event databases], you should have less legal exposure to worry about. However, anything you record can be used against you. You need to make a classic risk decision," he says.

West at Bank of America agrees. "We can all sit around and worry about [how loss-event databases are vulnerable to discovery proceedings]," she says. "With the amount of information that the Securities Exchange Commission is requesting from financial institutions these days, it is a huge issue. But life has to go and we have to do business, so it’s a weighing of the risk and reward, otherwise we would be paralysed."

So despite the lack of clarity around the legal issues, many banks are pressing ahead and creating their own internal loss databases as well as contributing to consortia databases. Bank of New York, for example, has already created an internal loss database and used it in calculating its operational risk economic capital allocation for its 2004 business plan. Because it is a very large consumer bank it has a very large database, although there are gaps in the data, which is why the bank recently joined ORX, says West.

But the whole point of collecting the data is to improve risk management and reduce losses, she says. "We want to learn from these events – we don’t just want to know about them for the sake of knowing. The whole point is not to do [the action that caused the loss-event] in the first place, so we need to find out the root cause and mitigate it."