Surveillance, conduct and culture: lessons from Credit Suisse

It might not seem as though the sad demise of Credit Suisse has much to teach surveillance professionals, but look harder and it exposes many of the issues 1LoD has highlighted over the past half decade.

The failure of CS is peculiar because it has not involved the revelation of hidden losses or a ‘black hole’ in the bank’s accounts, but instead the erosion and finally collapse of its reputation in the eyes of its customers. Banking is above all about trust and customers finally voted with their deposits.

The list of scandals that led the bank to this point is far too long to list here. Take an arbitrary start point in 1986, when the banks was found to have opened accounts in fake names for Ferdinand and Imelda Marcos that stored money they looted from the Philippines: since then there have been at least 18 further significant enforcements against the bank in Switzerland, the US, Japan, Singapore, Hong Kong, the UK, Italy, Bermuda and France.

These culminated in, amongst other things, a corporate espionage scandal involving the Board that led to the departure of the chief executive; the first criminal trial of a Swiss bank in the country’s history (over links to a Bulgarian cocaine ring); allegations from leaked papers that the bank has held billions in the accounts of criminals, dictators and rights abusers for decades; a ruling that the former Georgian prime minister had suffered a loss of $553 million due to failures by Credit Suisse Life Bermuda; the collapse of supply chain finance firm Greensill Capital (which turned out not to be doing SCF in any normal sense of the term) and the implosion of Archegos Capital, which cost the bank $5 billion despite the relatively slim profits the bank was making from the relationship.

A problem of culture?

Almost farcically, new chairman Antonio Horta-Osorio, brought in in April 2021, pledging to put better risk management at the heart of its culture, resigned a few months later having repeatedly breached COVID rules.

Even as the end drew close, the bank was forced to postpone its annual report, after a last-minute call from the US Securities and Exchange Commission over revisions made to cash-flow statements for 2019 and 2020. When it finally released the report, it acknowledged "material weaknesses" in its internal controls.

The big picture lesson is clear enough: regardless of ‘tone’ from the top, and it’s behaviour - not tone - that counts, the culture of the bank seems to have remained firmly rooted in traditional (and out-dated) concepts of Swiss bank secrecy that prioritise wealth concealment, anonymity and tax avoidance.

That culture is reflected in those multiple fines for failures in financial crime prevention and repeated exposure in media leaks of controversial financial activity. But it’s also reflected in the aftermath of failure: looking at the firing of chief compliance officer Lara Warner in the wake of Archegos, or at the revolving door that has recently spat out her replacement Rafael Lopez Lorenzo and head of regulatory compliance, Julian Gooding, it’s hard not to conclude that compliance was treated as a scapegoat for cultural and control failings that went much deeper.

Blame the system?

Surely the bigger question is, ‘given the volume and granularity of global financial regulation around conduct, culture and financial crime in the last 15 years, how did one of the world’s most important banks continue to generate so many problems that it ended like this?’.

One interesting clue to this is in the comments in the bank’s annual report describing the SEC’s queries around cash flow restatements going back to 2019 in relation to the netting treatment of some securities lending and borrowing activities. The report says, “management did not design and maintain an effective risk assessment process to identify and analyse the risk of material misstatements in its financial statements”. In a separate statement auditors PwC said that “management did not design and maintain effective controls over the completeness and the classification and presentation of non-cash items in the consolidated statements of cash flows”.

This is what’s wrong with much of the risk and control process in banks at present. There is no risk assessment process that can identify every possible risk in a business to this level of detail and nor should there be. There should be no need for a bank to “design and maintain an effective risk assessment process to identify and analyse the risk of material misstatements in its financial statements”, especially not by defining every possible mistake one could make in preparing the annual report of a global bank and then developing a risk and control framework to monitor for those mistakes.

These are not the kinds of ‘risks’ that belong in an RCSA. These are questions of professional competence and, in this case, understanding accounting rules. You don’t need a risk assessment checklist for them, devised by another department and debated by committee, you need qualified staff whose work is checked by senior internal and external staff upon whose expertise you rely in matters of technical detail. Non-financial risk functions should be concerned with the bigger picture and they should not be building that from the bottom up to that degree.

Credit Suisse said its management team was developing a remediation plan to address the weakness and would “implement robust controls to ensure that all non-cash items are classified appropriately within the consolidated statement of cash flows.”

This granularity is ridiculous. The financial reporting and audit departments of banks ARE the controls that should ensure that all non-cash items are classified appropriately within the consolidated statement of cash flows. In this case, the external auditors picked up the issue, which is their job, and the error (which was technical and did not invalidate the annual report under Swiss law) was rectified. If there was any real failure, it was that the external auditors did not pick the error up quickly enough – so that a last-minute SEC query could then delay publication.

A regulatory problem

This is an example of the regulator-driven obsession with more rules and more risk assessments that is paralysing banks with bureaucracy that cannot work.

It is replacing reliance on good hiring and management with dependence on spreadsheets whose granularity gives the illusion of control while in practice swamping control teams no matter how large with data they cannot use effectively.

It is creating a culture in which, no matter what banks and regulators say, risk and control teams are taking day-to-day ownership of risk because the business, often swamped in data, assumes those infrastructures can be relied upon to flag concerns instead of keeping track of them themselves. In practice, those teams are themselves struggling simply to achieve basic regulatory compliance, let alone significant risk mitigation.

Take Archegos. The basic failure was simple: profitability from the relationship was low (tens of millions of dollars at most over several years), yet the risk exposure was reportedly more than $20 billion, or half the bank’s equity cushion against potential losses, and it only held a tenth of that against the position. It shouldn’t need an RCSA to spot that. And how far up the material risk list was a $5 billion loss in prime brokerage anyway? Upheavals are always the result of very large surprises that, by definition, are not flagged early by risk and control systems.

Time to change tack

More layers of rules and controls are not the answer. Better big picture business management is. As the huge third-party report commissioned by CS on Archegos showed, the key causes were staff turnover and the replacement of experienced professionals with juniors. Yes, there were also failure of reporting and data systems, but the head of a prime brokerage unit should probably know off the top of their head whether they are running a $5 billion risk or a $20 billion equity exposure and whether a few million bucks is sufficient compensation. That way they wouldn’t shrug off the concerns of risk and control teams.

So why did Credit Suisse ultimately fall? Yes, the regulators are driving a compliance culture that is unintentionally undermining management responsibility at business unit level and below. Yes, the obsession with ever more detailed risk assessments is a distraction from real material risks. Yes, the drive to regulate and put a number on every single aspect of banks operational processes, as though they were FX positions, is daft and doomed to fail.

And yes, maybe Credit Suisse was unlucky. With two million customers you get a few bad apples.

But they were unlucky a lot. And they kept being unlucky in the same way. When your customers, many of whom will have been with you for their whole lives, pull the plug, it’s your culture that has gone wrong.