Basel II: Coming to America

The Basel II Accord has been floating around the global financial industry for years, but, until recently, it didn't look as if it would apply to U.S. securities firms. Now, many U.S. firms are playing a degree of catch-up to prepare their business and technology environments for the precepts of the accord.

While it's now clear larger U.S. securities firms will be covered by Basel II, that wasn't the case when it was first proposed. "That has resulted in securities firms getting a slower start relative to the commercial banking industry," says Joseph Sabatini, managing director and head of the corporate operational risk team in JPMorgan Chase's risk management group.

Basel II was proposed in 1999 for global banks to assess and manage risks. At the time, the Federal Reserve announced that the top nine banks - some of which, such as JPMorgan Chase, Citigroup and Wachovia, have brokerage businesses in addition to commercial banking arms - would have to comply and adopt the advanced measurement approach for their capital adequacy requirements for credit and operational risks. Under rules proposed in late 2003, five large, independent U.S. securities houses - including Merrill Lynch, Goldman Sachs and Bear Stearns - now also will be subject to Basel II under the SEC's Consolidated Supervised Entities (CSE) regime.

For those firms covered by the accord, there are two areas of focus. "One is in re-examining the risk-based methodologies the firms are using for measuring and monitoring market, credit and operational risk," says Michael Alix, senior managing director, global head of credit risk management at Bear Stearns, and chair of the Securities Industry Association's Risk Management Committee. "The second is to translate risk management processes through documentation and procedural clarifications into a language that is well understood by global regulators."

While the processes for assessing market and credit risk have been in place for a long time, the operational-risk-management processes needed to conform with Basel II and CSE still require considerable work. Operational risk can mean anything from a trading system failure to a flood knocking out a data center with critical information.

Better View of Risks

To improve their operational-risk-assessment capabilities, firms are targeting three initiatives, says Dushyant Shahrawat, senior analyst in TowerGroup's securities practice: upgrading core infrastructure, including building data warehouses; using integration and business-process-management technology to improve operations workflow; and exploring newer technologies such as Web services and grid computing to improve operational-risk management.

When the regulatory discussions began, JPMorgan had many of the components in place that are necessary for Basel II operational-risk compliance, such as a firmwide self-assessment system, but it was missing other elements. Those included firmwide internal loss data and a means to measure operational risk. "So we have developed the toolkit internally, and for the last 18 months have been working on the development of an application so that these individual components can be captured in an integrated database," says JPMorgan's Sabatini.

For the time being, though, most U.S. securities firms aren't obliged to comply with Basel II. Still, some may willingly adopt the standards. "Smaller firms may volunteer to become compliant because they want to make sure they are being as competitive with the top-tier firms as they can," says Bill Hidell, SVP, operational risk management for Wachovia Securities.

Some might also see this as writing on the wall, expecting that the regulations eventually will trickle down. "No firm wants to be caught unprepared for anything to do with regulations because the repercussions are horrific," observes TowerGroup's Shahrawat

Being prepared, even for a global standard that doesn't apply to the majority of U.S. securities companies, may prove the safest option.