Legal requirements leading to new e-security challenges
Financial organisations and service providers (FSPs) are confronted with numerous legal requirements and recommendations. One such predominant regulation is the 'Basel Capital Accord' from the Basel Committee. More than a decade has passed since the Basel Committee on Banking Supervision (the "Committee") introduced its 1988 Capital Accord (the "Accord"). The original framework described a capital measurement system for financial institutions, stating that these need capital available in the amount of 8% of their credit risk. The Accord is enforced by regulatory agencies in the so-called G-10 countries, and is applicable to all Internationally active banking institutions.
The business of banking, risk management practices, supervisory approaches, and financial markets each have undergone significant transformation since 1988. That is why in June 1999 the Committee released a proposal to replace the Accord with a more risk-sensitive framework. This Basel II Capital Accord is expected to be effective as of 2006.
The 1988 Accord focussed on the total amount of bank capital, which is vital in reducing the risk of bank insolvency and the potential cost of a bank's failure for depositors. The 1998 Accord set a capital requirement simply in terms of credit risk (the principal risk for banks), though the overall capital requirement (i.e., the 8% minimum ratio) was intended to cover other risks as well.
In 1996, market risk exposures were added as a second separate type of risk and were given separate capital charges. The new framework of Basel II will introduce operational risk as a third type. The Committee has been working with the industry to develop a suitable capital charge for these operational risks; for example, the risk of loss from computer failures, poor documentation or fraud. Based on work to date, the Committee expects operational risk on average to constitute approximately 20% of the overall capital requirements. IT risks, such as the risk of being hacked and the risk of online fraud, are important elements in this.
The higher these operational risks, the higher the capital requirements. It is therefore key to minimise these risks as much as possible. As such, the new Basel recommendations are a clear incentive for banks to use sophisticated risk management methodologies, use advanced methods for calculating their capital requirements and enhance their control environment.
An advanced Managed Security Service can clearly help financial institutions to quantify IT risks and identify which steps have the highest marginal impact to reduce those risks as an overall reduction of operational risk will lead to lower capital requirements. For a financial institution, reducing the capital requirements with even a few base points has drastic profit and loss implications.