Want to catch misbehaviour? Watch the electronic chat

The monitoring of internal electronic messages has become among the most potent tools of first-line risk managers, a BNP Paribas executive has told Risk.net.

“It is amazing how many people have arguments on chat – between sales and trading over who is responsible for a loss, for example, if they have to report it, say, within 24 hours,” said Andrew Brodie, global head of front office conduct surveillance at BNP Paribas, listing some eavesdropped chats at the OpRisk Europe conference in London on Tuesday. “We can just look at the chat and flag it to operational risk.”

Frank, unguarded conversations on various forms of instant messaging have been critical to many recent enforcement cases – most prominently, the self-described ‘Cartel’ of foreign exchange traders prosecuted by the US Department of Justice for their alleged involvement in a scheme to time forex trades so their banks could profit at the expense of clients. The three traders were subsequently acquitted.

The behaviour is nothing new. During the global financial crisis, the credit rating agencies were heavily criticised for their business ties to the very issuers of securities they were rating. In 2007, a Standard & Poor’s employee was caught instant-messaging about the agency’s standards for rating structured products: “We rate everything. It could be structured by cows and we would rate it.”

But internal chat surveillance can also catch conduct risk issues before they hurtle from embarrassing to catastrophic.

“There are some people who are always on the edge of their risk limits – they will go over and ask for an extension to the limit, and then a month later they will still be over the limit as the extension is running out, and they’ll say their boss is travelling that week, so can we wing it for a bit longer?” said Brodie.

“We would say that is breaking every rule in the book – that is why we have risk limits! So we find a lot of use in that forum, and my team spends a lot of time there.”

Brodie spoke during a discussion on the three lines of defence model of operational risk management. Having a dedicated head of internal chat and communications monitoring has become a first-line controls role at many large banks. Brodie and others also emphasised the importance of pushing risk responsibility on to front-office business heads.

“A good thing is to put business heads responsible for all the risks in their business,” said Paul Neale, Mizuho International’s head of operational risk. “That’s who the regulators will come after, anyway, even if the failure is actually in a support function like IT.”

The lines of responsibility can be blurry. “The business heads will say they are not experts, it’s not their job – so they will employ people to do that for them,” he added. “You can have a difficult conversation about who is responsible for controls, whether it’s the business head or whether it gets pushed aside.”

William Martyn, global head of risk steward oversight at HSBC, said the parsing of responsibility on things such as internal chat showed that the three-line model can be complicated in practice.

“It’s not easy to implement in a meaningful way,” he said. “At HSBC, we have three key roles in the first line: the risk owner; the control owner, who operates the controls and is often in a function like IT or operations; and the chief control officer. And in the second line, we have the risk stewards, who are the specialists, who set policy and risk appetite and oversee them, and the operational risk function, which sets framework and policy.

“The second line needs to be very slim. You need to keep an eye on the value proposition, on setting the appetite. You can’t just sit there and occasionally speak up – you need to give an opinion, write it down, and get it into formal governance. You need to show that the second line has teeth.”