monday september 3 2012 - top 10 risk management news

P a g e | 1

_____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP)

www.risk-compliance-association.com

International Association of Risk and Compliance Professionals (IARCP)

1200 G Street NW Suite 800 Washington, DC 20005-6705 USA Tel: 202-449-9750 www.risk-compliance-association.com

Top 10 risk and compliance management related news stories and world events that (for better or for worse) shaped the week's

agenda, and what is next

George Lekatis President of the IARCP

Dear Member, Is part of your job to predict the future? Do you live in the new forward looking perspective in risk management? In 1964, Arthur C. Clarke, science fiction writer, inventor and futurist observed: “Trying to predict the future is a discouraging and hazardous occupation, because the prophet invariably falls between two chairs. If his predictions sound at all reasonable, you can be quite sure that in 20, or at most 50 years, the progress of science and technology has made him seem ridiculously conservative. On the other hand, if by some miracle, a prophet could describe the future exactly as it was going to take place, his predictions would sound so absurd, so far-fetched, that everybody would laugh him to scorn.” Read more at Number 7! Welcome to the Top 10 list.

http://www.risk-compliance-association.com/

P a g e | 2



Agathe Côté: Modelling risks to the financial system

Remarks by Ms Agathe Côté, Deputy Governor of the Bank of Canada, to the Canadian Association for Business Economics, Kingston, Ontario, 21 August 2012.

Solvency II

In 2011, EIOPA focused on preparing the final set of regulatory measures for Solvency II, the draft standards and guidelines.

Credit Risk in the Shared National Credit Portfolio Declines, but Remains High The credit quality of large loan commitments owned by U.S. banking organizations, foreign banking organizations (FBOs), and nonbanks improved in 2012 for the third consecutive year, according to the Shared National Credits (SNC) Review for 2012.

Progress note on the Global LEI Initiative This is the first of a series of notes on the implementation of the legal entity identifier (LEI) initiative. The G-20 in Los Cabos endorsed the FSB recommendations and asked the Board to take forward the work to launch the global LEI system by March 2013.

P a g e | 3



OCC Updates Stress Testing Implementation Timeline

The Office of the Comptroller of the Currency (OCC) today announced it is considering changes to the implementation timeline for the company-run stress testing required by the Dodd-Frank Wall Street Reform and Consumer Protection Act.

Security First: New NIST Guidelines on Securing BIOS for Servers

From NIST Tech Beat: August 21, 2012

The National Institute of Standards and Technology (NIST) is requesting comments on new draft guidelines for securing BIOS systems for server computers.

Understanding threats

Statement by Dr. Kaigham J. Gabriel Deputy Director, Defense Advanced Research Projects Agency Submitted to the Subcommittee on Emerging Threats and Capabilities United States House of Representatives

FSA statement regarding CRD IV implementation

CRD IV has been under discussion between the

European Parliament, European Commission and Council of Ministers.

P a g e | 4



Understanding better… Information Operations, Electronic Warfare, Computer Network Operations Information Operations - The integrated employment of the core capabilities of electronic warfare, computer network operations, psychological operations, military deception and operations security, in concert with specified supporting and related capabilities, to influence, disrupt, corrupt or usurp adversarial human and automated decision making while protecting our own.

An interesting article about China. We will be glad to discuss other opinions in our next newsletter.

China’s Slowdown May Be Worse Than Official Data Suggest by Janet Koech and Jian Wang

P a g e | 5



NUMBER 1

Agathe Côté: Modelling risks to the financial system

Remarks by Ms Agathe Côté, Deputy Governor of the Bank of Canada, to the Canadian Association for Business Economics, Kingston, Ontario, 21 August 2012. * * *

Introduction It has become a summer tradition for the Bank of Canada to address the Canadian Association for Business Economics. This year it is my pleasure and I thank you for the kind invitation. An audience of colleagues and fellow economists offers me an opportunity to delve into a complex subject, and one that is particularly timely: financial system risk. We continue to see today the enormous costs to the global economy of the financial crisis that started five years ago. Of the many lessons we have learned from the crisis, a key one is this: we need to pay more attention to the stability of the financial system as a whole. This means understanding better how risks get transmitted across financial institutions and markets, and understanding better the feedback loop between the financial system and the real economy. From a policy perspective, this means taking a system-wide approach to financial regulation and supervision. Major reforms of the global financial system now under way address this need.

P a g e | 6



System-wide risk has been a focus of attention at the Bank of Canada, and at other central banks, for some time. Ten years ago, the Bank issued the first edition of its semi-annual Financial System Review in which it identifies key sources of risks to the Canadian financial system and highlights the policies needed to address them. A year later, in 2003, we organized our annual conference on the theme of financial stability. In the wake of the global financial crisis, the Bank has intensified its research efforts in this area. In particular, a priority is to improve the theoretical and empirical models we use to analyze elements of the financial system that can lead to the emergence of risks and vulnerabilities. With more finely tuned quantitative models and tools, the Bank will be better able to identify risks on a timely basis so that the private sector and policy-makers can take corrective action to support financial stability. Let me acknowledge upfront that this task is complex. While macroeconomic models have long been used to guide monetary policy decisions by central banks, models of financial stability and systemic risk are much less advanced. In my remarks today, I want to talk about the progress that we have made at the Bank in modelling risks to the financial system. I will start by briefly describing the notion of systemic risk and various approaches used to identify and measure it. I will then discuss two state-of-the-art quantitative models that we have developed to improve our assessment of risks to the Canadian financial system.

P a g e | 7



The multiple dimensions of systemic risk Systemic, or system-wide, risk goes beyond individual institutions and markets. It is the risk that the financial system as a whole becomes impaired and that the provision of key financial services breaks down, with potentially serious consequences for the real economy. Systemic risk manifests itself in different ways. There is a time dimension, which refers to the accumulation of imbalances over time, and a cross-sectional dimension, which refers to how risk is distributed throughout the financial system at a given point in time. Procyclicality is the key issue in the time dimension. It reflects the tendency to take on excessive risk during economic upswings – too much punch from the punchbowl, if you will – and to become overly risk averse during the downturns. Procyclicality makes the financial system and the economy more vulnerable to shocks, and increases the likelihood of financial distress. Risk concentrations and interconnections are the key issues in the cross-sectional dimension. Financial institutions can have similar exposures to shocks or be linked through balance sheets. As a result, losses in one institution can lead to fears of contagion that amplify the adverse effects of the initial shock. For instance, uncertainty about the viability of counterparties can lead to hoarding of liquidity, which may seem like an appropriate action for the individual institution but can have disastrous consequences for the financial system as a whole.

P a g e | 8



System-wide surveillance requires that we regularly assess the importance of various types of systemic risk. How we judge a particular risk will be based on the probability that it will lead to financial system distress, and on the extent of its impact should that distress materialize.

Early-warning indicators A fundamental challenge is to detect the risks arising from both global and domestic sources in an environment with a vast number of potential indicators. Therefore, one direction of research at the Bank has been to isolate the key signals from this broad information set by identifying a smaller group of variables that can serve as early-warning indicators of emerging imbalances. Since financial crises in Canada have been rare, international data are used to help establish numerical thresholds for each domestic indicator. For example, if international evidence suggests that credit growth above a certain rate tends to be associated with increased risk, then a period with credit growth above the threshold would suggest an elevated probability of financial stress. Selecting the level of thresholds involves a difficult trade-off between false alarms and failure to signal an event, so in practice the early-warning indicators are used mainly to identify areas where more detailed investigation may be warranted. They provide an objective, practical starting point to detect the buildup of imbalances in the financial system. One early-warning indicator that we regularly track is the deviation of the aggregate private sector credit-to-GDP ratio from its trend (the credit-to-GDP gap), which serves as a rough measure of excessive leverage across the financial system (Chart 1).

P a g e | 9



This indicator has been shown to provide some leading information as a predictor of banking crises, and has been proposed by the Basel Committee on Banking Supervision (BCBS) as a useful guide for decisions about when to activate the countercyclical capital buffer – an important macroprudential policy instrument in the Basel III agreement. Given the complexity of systemic risk, it is unrealistic to expect a single measure or indicator to serve all purposes. Combining indicators can produce better signals with fewer false alarms and undetected crises. For example, research shows that combining the Credit - to - GDP gap with a measure of real estate prices produces an indicator that performs better than either variable on its own. Our own work at the Bank reinforces findings elsewhere that aggregate private sector credit and real estate prices are among the most reliable indicators of financial stress.

P a g e | 10



Identifying sources of risk is essential, but so is determining the likelihood that these risks will materialize. Therefore, another important aspect of ongoing research is the development of statistical models to help us forecast the probability that a crisis will occur based on a group of indicators.

Macro stress tests Early-warning indicators are useful to gauge the probability of financial stress, but a thorough assessment also requires an analysis of what could happen if the risk materializes. This is the goal of macro stress testing. A good part of the Bank’s efforts in recent years has been devoted to developing and refining stress-testing models. This class of models takes a large but plausible macroeconomic shock as a starting point and analyzes its impact on the balance sheets of banks or other sectors of the economy. The Bank now has two main stress-testing models to help monitor risks to the financial system. These models can also be used to assess the potential impact of policy tools or regulatory actions in mitigating financial system risks.

Assessing risks from elevated household debt The first, the Household Risk Assessment Model, or HRAM, is a microsimulation model that assesses how the debt burden of Canadian households can affect financial stability. Using microdata from household balance sheets, the model allows us to estimate how various shocks would affect the distribution of debt within the household sector.

P a g e | 11



The simulations take into account changes over time in individual debt levels, as well as changes in household wealth from savings and fluctuations in the value of financial assets. Tracking the asset side of household balance sheets gives us a more accurate picture of systemic risk since changes in wealth affect households’ ability to pay their debt. Household vulnerabilities depend not only on the average level of debt, but also on how debt is distributed across individuals. One strength of the model is precisely its ability to account for this distribution. For instance, while record-low interest rates in recent years have contributed to a relatively low aggregate household debt-service ratio, the share of Canadian households that are considered most vulnerable – those with a debt-service ratio equal to or higher than 40 per cent – has climbed to above-average levels, as has the proportion of debt held by these vulnerable households (Chart 2).

P a g e | 12



Using HRAM, we estimate that if interest rates were to rise to 4.25 per cent by mid-2015, the share of highly indebted households would rise from slightly above 6 per cent in 2011 to roughly 10 per cent by 2016, while the proportion of debt held by these households would rise from 11.5 per cent to about 20 per cent over the same period. So while the aggregate household debt-service ratio paints a somewhat rosy picture, taking into account distributions gives us a clearer and more cautionary indication of how vulnerable our financial system actually is to household debt. Another strength of the model is that it provides a flexible tool for simulating the impact on household solvency of a wide range of potential shocks, such as an increase in unemployment. HRAM indicates that household loans in arrears would more than double under a severe labour market shock similar to that observed in the recession of the early 1990s. Despite the model’s strengths, we continue to enhance our analysis by improving HRAM. Expanding the behavioural aspects of the model is one way to do this. For instance, the model currently allows distressed households to pay their debts by selling their liquid assets, but not their homes. Work is also under way to improve the design of the shock scenarios. Results of stress tests using HRAM are regularly reported in the Bank’s Financial System Review and constitute an important element of our overall assessment of the risks associated with household finances.

Assessing contagion effects in the banking system HRAM provides invaluable information on vulnerabilities in the household sector, but the Bank is also interested in assessing risks more broadly within the Canadian financial system.

P a g e | 13



To this end, we have been working for several years on developing a Macro Financial Risk Assessment Framework (or MFRAF). Drawing on detailed data from bank balance sheets, MFRAF is a quantitative model that tracks the contribution of individual banks to systemic risk. Traditional stress-testing models focus exclusively on solvency risk, and estimate the overall risk to the financial system by simply aggregating credit (or other asset) losses that would materialize at individual banks in the event of a severe shock. MFRAF goes beyond this traditional approach by taking into account linkages among banks arising from counterparty exposures – or network spillover effects – as well as funding liquidity risk, that is, the risk of market-based runs on banks. The financial crisis illustrated the significant risks associated with a deterioration of funding liquidity. The collective reactions of market participants led to mutually reinforcing solvency and liquidity problems at banks around the world. As funding liquidity evaporated, many well-capitalized institutions had to take writedowns on illiquid assets, or sell them at a loss, creating uncertainty in the market about their solvency and adding to the downward pressure on asset prices. MFRAF has been built to integrate funding liquidity risk as an endogenous outcome of the interactions between solvency concerns and the liquidity profiles of banks. This strong microeconomic foundation constitutes a major innovation in macro stress-testing models. MFRAF also incorporates network externalities caused by the defaults of counterparties, with the size of a counterparty’s interbank exposures increasing the likelihood of spillover effects.

P a g e | 14



A key lesson from the model is that failure to account for either funding liquidity risk or interbank exposures could lead to significant underestimation of the risks to the financial system as a whole if the banking system is undercapitalized and relies extensively on the short-term funding market. Importantly, the loss distributions generated by the model exhibit fat tails, a key feature of the actual distribution of financial system risks (Chart 3).

The fact that the model is able to replicate this important stylized fact demonstrates that it has significant potential as a tool for assessing systemic risk. Nevertheless, while MFRAF is already somewhat complex, the layers of interaction will need to be further augmented. For instance, the model misses any negative feedback that could occur between heightened risks to the banking system and the real economy. The model could also be expanded over time to include other types of financial institutions and markets.

P a g e | 15



Compared with other approaches that use market-based data, such as the asset-pricing approach, the transmission channel in models like MFRAF is transparent, and this improves our interpretation of results. Because of this “story-telling” ability, many central banks have begun to use this type of framework in their financial stability analysis. In addition to assessing risks, MFRAF can be used to examine the merits of policy or regulatory initiatives such as capital and liquidity rules. As the model becomes more refined, the objective is to use it more to complement other existing macro stress-testing exercises and to sharpen our analysis and communication of risks in the Bank’s Financial System Review.

Conclusion Let me conclude. The Bank of Canada is conducting extensive research into finding methodologies and tools to identify and measure systemic risk. While work in this area is extremely complex, the Bank has made substantial progress in recent years. We now have two state-of-the art models. And with HRAM, the Bank of Canada is one of the few central banks at the leading edge of using microsimulation models to assess vulnerabilities in the household sector. Our efforts to build these models have provided us with important lessons. First, distributions matter – we cannot rely solely on aggregate data: distributional features and complex interactions are very important for assessing risks. This means developing models that capture these effects.

P a g e | 16



Our household simulation model is aimed directly at understanding how the distribution of debts, assets and income affects financial stability. MFRAF uses information about the interconnections of individual financial institutions because these can lead to non-linear network effects that are also important for assessing systemic risks. Second, predicting behaviour under stress conditions is very difficult. Models need to be able to handle a variety of “what-if” scenarios corresponding to different assumptions about behaviours under stress. Finally, we need to consider the many different sources of risk to the financial sector and take into account their cumulative effects and interactions; otherwise we may underestimate risks. Obviously, quantitative measures alone will never be enough to get a complete picture, especially since the financial system evolves rapidly. Intelligence gathered from discussions with the financial sector, as well as information shared with other policy-makers and supervisors here in Canada and in the international community, will always be critical to the overall assessment of the risks. While we are making progress, it is important to remember that financial system modelling is still in its infancy. The goal – understanding, preventing, and reducing systemic |risk – deserves our attention, diligent research and hard work. It has been my pleasure to share some of the Bank’s efforts with you today. Thank you very much.

P a g e | 17



NUMBER 2

Solvency II

In 2011, EIOPA focused on preparing the final set of regulatory measures for Solvency II, the draft standards and guidelines. One of the main achievements of EIOPA in 2011 was the report on the Fifth Quantitative Impact Study (QIS5) summarising the potential impact of the detailed implementing measures to be drafted for the Solvency II regulatory framework. QIS5 has been the most ambitious and comprehensive impact study ever carried out in the financial sector, with the direct involvement of more than 2500 entities and 100 supervisors from member states and EIOPA, working together for almost a full year. EIOPA launched official public consultations in 2011 in two areas in which early discussion with and preparation by the industry are particularly important. These consultations were on the draft standards and guidelines on reporting and disclosure, and on guidelines on Own Risk and Solvency Assessment (ORSA). At the end of 2011, EIOPA submitted additional advice to the European Commission on the calibration of the non-life underwriting risk module. In the area of catastrophe risk, EIOPA made its final recommendation for the implementing measures on a number of outstanding non-life and health catastrophe risk issues. Several task forces concluded their work in 2011, resulting in the publication of the following reports: “Calibration of the Premium and Reserve Risk Factors in the Standard Formula of Solvency II” and the “Report of the Task Force on Expected Profits arising from Future Premiums”.

P a g e | 18



Finally, since the creation of EIOPA’s Insurance and Reinsurance Stakeholder Group, EIOPA has benefited from their expertise and wide range of views and interests, and actively involved its members in major aspects of Solvency II.

Occupational pensions The main focus of EIOPA’s work on occupational pensions in 2011 was developing EIOPA’s response to the Call for Advice from the European Commission on the review of Directive 2003/41/EC on the activities and supervision of institutions for occupational retirement provision (IORP Directive). The work on the Call for Advice was organised in four sub-groups, all working in parallel, but all reporting to the Occupational Pensions Committee (OPC). In 2011, EIOPA also completed number of survey-based reports on reporting requirements, risks related to DC schemes and pre-enrolment information. These surveys were conducted to provide a common technical basis for responding to the Call for Advice. During 2011, EIOPA carried out two public consultations on its draft advice. The first between 8 July 2011 and 15 August 2011 on selected aspects of the Call for Advice. The second, between 25 October 2011 and 2 January 2012 on the entire draft advice. EIOPA also submitted during the year 2011 its input to the ESRB on data requirements for IORP and published its recurrent report on market developments.

P a g e | 19



Consumer protection and financial innovation EIOPA has considered, from day one, consumer protection as a cornerstone of its work and an area where a difference has to be made, and EIOPA has been proactive in the area of consumer protection and financial innovation. In the course of 2011, the Authority prepared “The Proposal for Guidelines on Complaints- Handling by Insurance Undertakings”, the Report on Best Practices by Insurance Undertakings in handling complaints and finalised a “Report on Financial Literacy and Education Initiatives by Competent Authorities”. EIOPA also collected data on consumer trends among its members to prepare an initial overview, analysing and reporting on those trends. The Authority also provided relevant input to the European Commission’s revision of the Insurance Mediation Directive (IMD) by carrying out an extensive survey of sanctions (both criminal and administrative) provided for in national laws for violations of IMD provisions. External commitment, including benefiting from the expert input of

EIOPA’s two Stakeholder Groups and holding EIOPA’s first Consumer

Strategy Day, was also crucial to EIOPA achieving its goals in 2011.

Colleges of Supervisors and cross-border crisis management and resolution EIOPA’s tasks go beyond pure regulatory work, and include concrete oversight responsibilities, including an enhanced role as members of the different colleges of supervisors. The overall strategic target of EIOPA’s College work is to consolidate the position of the European Economic Area (EEA) supervisory community vis-a-vis insurance groups operating across borders for the benefit of both

P a g e | 20



group and solo supervision. In 2011, around 89 insurance groups with cross border undertakings were registered in the EEA. During the year, Colleges of Supervisors having at least one actual meeting or teleconference were organised for 69 groups. A total of 14 national supervisory authorities acted as group supervisors to organise the events. During the setup phase in the first year after its establishment, EIOPA attended College meetings and/or teleconferences of 55 groups. In early 2011, a set of interim procedures for dealing with emergency situations was developed by EIOPA in conjunction with the other ESAs. A seconded national expert in crisis management was appointed in March 2011, and work then commenced on the development of a permanent crisis management framework by EIOPA. Key to this was the development of a strategic policy on crisis management. In the end of 2011 a Task Force on Crisis Management delivered a comprehensive, decision-making framework on crisis pre-emption and crisis management.

Financial stability The common theme of EIOPA’s financial stability initiatives in 2011 was to identify, at an early stage, trends, potential risks and vulnerabilities stemming from micro and macroeconomic developments, and, where necessary, to inform the relevant EU institutions. This was achieved by specific and regular market monitoring, information sharing and discussions on mitigating measures in the Financial Stability Committee (FSC).

P a g e | 21



In line with this objective, EIOPA’s FSC set up its first (pilot) risk dashboard in October 2011, containing a common set of quantitative and qualitative indicators that help to identify and measure systemic risk. This dashboard is to be developed further as a joint effort of the ESAs and the ESRB. In the course of 2011 EIOPA has been an active member of the ESRB Steering Committee that was established in order to assist in the decision-making process of the ESRB. EIOPA also was taking part in the ESRB Advisory Technical Committee (ATC) and its technical subcommittees with the main focus on identifying potential systemically important issues in the sectors of insurance and IORPs. Furthermore, EIOPA participated in the joint ATC and Advisory Scientific Committee (ASC) expert group dealing with the regulatory treatment of sovereign exposures. In 2011, the three ESAs and the ESRB signed a joint “Agreement on the establishment at the ESRB Secretariat of specific confidentiality procedures in order to safeguard information regarding individual financial institutions and information from which individual financial institutions can be identified”. EIOPA also began designing a database of current and historical data for IORPs and insurance and reinsurance undertakings in the European Union. During 2011, EIOPA conducted harmonised, pan-European core and low-yield stress tests for the insurance sector in cooperation with the ESRB, ECB and EBA. In June and December 2011, EIOPA published its two semiannual Financial Stability Reports containing an assessment of the economic soundness of the European insurance, reinsurance and IORPs.

P a g e | 22



In December 2011, EIOPA put out for public consultation a set of data reporting templates necessary for regularly assessing sectoral risk and monitoring financial developments once Solvency II enters into force.

EIOPA Overview Introduction The European Insurance and Occupational Pensions Authority (EIOPA) was established as a result of the reforms of the structure of supervision of the financial sector of the European Union (EU) that followed the financial crisis of 2007, as the crisis demonstrated that the pre-existing 3L3 Committees (CEIOPS, CEBS and CESR) had reached their limit. Before and during the financial crises of 2007 and 2008, the European Parliament called for a move towards greater European supervisory integration in order to ensure a true level playing field for all players at the level of the European Union and to reflect the increasing integration of the financial markets of the EU. In response to the global financial crisis, the European Commission tasked a High Level Group (Committee of Wise Men), chaired by Mr Jacques de Larosiere, to consider how the European supervisory arrangements could be strengthened, both to better protect EU citizens and to rebuild trust in the financial system. Among its many conclusions, the Group stressed that supervisory arrangements should not only concentrate on the supervision of individual firms, but also place emphasis on the stability of the financial system as whole. Following the recommendations of the Committee of Wise Men, the European Commission initiated a reform, which was supported by the European Council and the European Parliament. As a result, the supervisory framework was strengthened to mitigate the risk and severity of future financial crises.

P a g e | 23



EIOPA is part of a European System of Financial Supervision (ESFS), the purpose of which is to ensure supervision of the EU financial system. The ESFS comprises the three European Supervisory Authorities (ESAs): the European Banking Authority (EBA), based in London, the European Securities and Markets Authority (ESMA), based in Paris, and EIOPA, based in Frankfurt, as well as the European Systemic Risk Board (ESRB), based in Frankfurt, and the competent or supervisory authorities in the EU Member States as specified in the legislation establishing the three ESAs. EIOPA’s main goals are: • To better protect consumers, thus rebuilding trust in the financial system; • To ensure a high, effective and consistent level of regulation and supervision, taking account of the varying interests of all Member States and the different nature of the financial institutions; • To achieve a greater harmonisation and coherent application of the rules applicable to the financial institutions & markets across the European Union; • To strengthen oversight of cross-border groups; • To promote a coordinated European Union supervisory response. EIOPA’s core responsibilities are to support the stability of the financial system, ensure the transparency of markets and financial products and protect policyholders, pension scheme members and beneficiaries. EIOPA is commissioned to monitor and identify trends, potential risks and vulnerabilities at the micro-prudential level, across borders and across sectors. EIOPA is an independent advisory body to the European Parliament, the Council of the European Union and the European Commission.

P a g e | 24



To account for the specific conditions in the national markets and the nature of the financial institutions, the European System of Financial Supervision is an integrated network of national and European supervisory authorities that provides the necessary links between the macro and micro prudential levels, leaving day-to-day supervision to the national level. EIOPA is governed by its Board of Supervisors, whose members are the heads of the relevant national authorities in the field of insurance and IORPs in each Member State.

The European Union’s national supervisory authorities are a source of expertise and information in the field of insurance and IORPs.

Policy Working Groups The majority of Policy Working Groups dealt with insurance and reinsurance-related issues, in particular Solvency II. Two other Working Groups in the policy area dealt with IORPs (IORP Directive) and equivalence-related issues.

Solvency II Working Groups The Solvency II project is completely reshaping the supervisory and regulatory framework for insurance and reinsurance companies, bringing a modern risk oriented, economic and principle based set of rules. One of the main tasks for EIOPA in the coming years is to prepare the new supervisory regime for insurance and reinsurance undertakings and particularly to conduct all the necessary work for implementation of the EU Directive on the taking-up and pursuit of the business of insurance and reinsurance (Solvency II). During 2011, the Solvency II Working Groups developed draft standards and guidelines which are likely to be required by the Omnibus II Directive, and which EIOPA considers as essential for ensuring the

P a g e | 25



existence of convergent supervisory practices from Solvency II’s first day of entry into force. Pre-consultations with selected stakeholders were held as part of the continuous informal discussion with stakeholders while awaiting confirmation of the formal legal basis for public consultation on the standards. Each Working Group contributed to EIOPA’s training programme for supervisors and, where relevant, Working Groups were involved in the discussions conducted by the European Commission on implementing measures. Working Groups contributed to those areas of each other’s work that required a cross-working group perspective, such as governance or reporting.

Insurance Groups Supervision Committee (IGSC) The Insurance Groups Supervision Committee (IGSC) focused on developing draft technical standards and guidelines for the convergent implementation of Solvency II in the areas of group solvency calculations, intra-group transactions and risk concentration, the cooperation and exchange of information in Colleges, and the treatment of third country branches.

Financial Requirements Committee (FinReq) The Financial Requirements Committee (FinReq) focused on developing draft technical standards and guidelines for the convergent implementation of Solvency II in the areas of own funds, technical provisions, and the standard formula for capital requirements, including the use of undertaking-specific parameters. FinReq contributed to the development of calibration factors for non-life underwriting risk and catastrophe risk.

P a g e | 26



Internal Governance Supervisory Review and Reporting Committee (IGSRR) The Internal Governance, Supervisory Review and Reporting Committee (IGSRR) focused on developing draft technical standards and guidelines for the convergent implementation of Solvency II in the areas of system of governance, including Own Risk and Solvency Assessment (ORSA), transparency and accountability of supervisory authorities, public disclosure and supervisory reporting, and valuation of assets and liabilities (other than technical provisions). Public consultation on the ORSA guidelines and reporting and disclosure requirements was launched at the end of 2011. IGSRR also started working on guidelines for external audit, the supervisory review process, capital add-ons, and the extension of the recovery period in the exceptional fall in financial markets.

IGSRR prepared EIOPA’s contribution to the International Financial Reporting Standard (IFRS) setting process and to the EU endorsement process.

Internal Models Committee (IntMod) The Internal Models Committee (IntMod) focused on developing draft technical standards and guidelines for the convergent implementation of Solvency II in the areas of tests and standards for full and partial internal models, requirements for the approval process, and the policy for introducing changes to the model. In order to increase supervisory convergence and to prepare industry and supervisors for the use of internal models under Solvency II, IntMod implemented initiatives for enhancing supervisory consistency across Europe in the pre-application process for internal models, and for ensuring adequate cooperation between supervisors when assessing internal models.

P a g e | 27



These initiatives involved practical meetings between operational supervisors and training activities.

Task Force on Expected Profits arising from Future Premiums (EPIFP) This task force was created to develop a common understanding of the element of expected profits included in future premiums (EPIFP) so as to advise the Commission on the drafting of implementing measures after the fifth quantitative impact study (QIS5). It was composed of representatives of industry, the European Commission and EIOPA members and discussed possible ways of harmonising the calculation of EPIFP under Solvency II. EIOPA submitted a report to the European Commission which ultimately only represented the views of its own members.

Occupational Pensions Committee (OPC) The main focus of the Occupational Pensions Committee (OPC) work between April 2011 and the end of the year was developing EIOPA’s advice to the European Commission on the review of the IORP Directive in response to the Call for Advice. Beyond this, OPC own initiative projects in 2011 included the publication of a number of survey - based reports as follows:

• ‘Report on reporting requirements to supervisory authorities for

IORPs’

• ‘Report on market developments 2011’

• Two reports on risks relating to members of defined contribution pension schemes (risks faced by members and mechanisms mitigating those risks)

P a g e | 28



• ‘Report on pre-enrolment information’ as part of a wider OPC

mandate on Packaged Retail Investment Products (PRIPs) and pensions Other inputs included a contribution to a report on the European Systemic Risk Board (ESRB) data requirements in respect of IORPs.

Equivalence Committee In January 2011, the Equivalence Committee was set up with its main task being to respond to requests from the European Commission for final

advice, after full consultation, on the equivalence of third countries’

supervisory systems. On 26 October 2011, upon request of the European Commission, EIOPA delivered its final advice, after full consultation, on the Solvency II equivalence assessments of the supervisory systems in the following countries: - Switzerland, - Bermuda and - Japan. The supervisory systems of Switzerland and Bermuda were assessed with reference to reinsurance, inclusion of the third country undertaking in the group solvency calculation and group supervision, while the supervisory system of Japan was assessed only with reference to reinsurance. The equivalence assessment was based on respective questionnaires filled in by the relevant supervisory authorities (Swiss Financial Supervisory Authority – FINMA; Bermuda Monetary Authority – BMA; and the Japan Financial Services Authority – JFSA), followed by a desk-based analysis using EIOPA’s methodology, and onsite visits by EIOPA experts to each of the three countries.

Regulatory Working Groups Committee on Consumer Protection and Financial Innovation (CCPFI)

P a g e | 29



In 2011, the Committee on Consumer Protection and Financial Innovation (CCPFI) supported EIOPA in fulfilling the requirement laid down in its Regulation of taking a leading role in the area of consumer protection and financial innovation, as follows: • preparing “Guidelines on Complaints-Handling by Insurance Undertakings” and “Report on Best Practices by Insurance Undertakings in handling complaints”. • preparing the “Report identifying Good Practices for Disclosure and Selling of Variable Annuities”. • finalising the “Report on Financial Literacy and Education Initiatives by Competent Authorities”. • collecting data on consumer trends among its members so as to prepare an initial overview, analysing and reporting on those trends. • carrying out an extensive survey of sanctions (both criminal and administrative) provided for in national laws for violations of IMD provisions.

Task Force on Insurance Guarantee Schemes (TF-IGS) This task force met in the course of 2011 to prepare the report on the cross-border cooperation mechanisms between IGSs in the EU. In accordance with EIOPA’s mandate to contribute to assessing the need for a European network of IGSs that is adequately funded and sufficiently harmonised, the report was EIOPA’s input to the European Commission’s policy - making on IGSs. It summarised the findings from a mapping exercise of the existing mechanisms on cross-border cooperation between the IGSs of Member States, and provided general recommendations to the European Commission in the area of cooperation between IGSs and with their supervisors.

P a g e | 30



Oversight Working Groups Review Panel At the beginning of 2011, the Review Panel , using the experience and lessons learned from its first peer review exercise completed in 2010, reviewed the methodology for peer reviews in line with the EIOPA Regulation. In the middle of the year, the Review Panel started work on three peer review projects on supervisory practices for pre-application of internal models, supervision of branches of EEA insurance undertakings, and supervision of IORPs. These peer reviews are due to be completed in 2012.

Task Force on Crisis Management

In 2011 a Task Force on Crisis Management was established to develop EIOPA’s structures for crisis prevention, management and resolution. In December 2011, this task force delivered a comprehensive, decision-making framework that was endorsed by the Board of Supervisors. This framework sets out in detail the processes that EIOPA will follow in discharging its crisis pre-emption and crisis management responsibilities under the EIOPA Regulation.

Financial Stability Working Groups Financial Stability Committee (FSC) The Financial Stability Committee (FSC) focused on monitoring and analysing developments in the insurance and IORPs sectors. This included in particular the impact of sovereign debt situation in some European countries and also that of other events such as natural

P a g e | 31



catastrophes, including the impact of the Japanese earthquake in March 2011 and the subsequent devastating tsunami. Furthermore, the FSC developed a 2011 stress test exercise for the European insurance sector, including a subsequent satellite exercise for a low-yield environment. The FSC also developed and implemented the EIOPA risk dashboard based on quarterly information collected from national supervisors. The FSC contributed to the work of the cross-sector risk subcommittee of the Joint Committee. FSC also contributed to the two half-year Financial Stability Reports monitoring both sectors (IORPs and insurance undertakings), which were also submitted to the EU Economic and Financial Committee (EFC) and the ESRB.

Corporate support Working Groups Information Technology and Data Committee (ITDC) In 2011, the IT and Data Committee (ITDC) focused on developing EIOPA’s IT and data strategy and, following on from this, it worked on IT specifications and implementation plans. The IT strategy set out the IT-related goals needed to fulfil EIOPA’s mission. The Board of Supervisors adopted the IT and data strategy reports at its October 2011 meeting and mandated EIOPA to implement the IT-related goals set out therein. The Board of Supervisors required the ITDC to produce high - level and outline IT plans and specifications, with particular focus on an EIOPA IT implementation plan.

P a g e | 32



Update on Solvency II • Solvency II is a new regulatory framework providing supervisors with the appropriate tools for assessing the overall solvency of insurance and reinsurance undertakings by quantitative and qualitative means, thus improving understanding and management of these undertakings’ risks. • It is based on three pillars: quantitative requirements (pillar I); governance, risk management and supervisory review (pillar II); and supervisory reporting and public disclosure (pillar III). • The framework directive was published on 17 December 2009. • The Omnibus II Directive is under discussion in the European Parliament and Council of the European Union following the legislative proposal from the European Commission on 19 January 2011. • Implementing measures have been discussed between the European Commission and Member States since the end of 2009. • Standards are being drafted by EIOPA to be endorsed by the European Commission. • Guidelines are being drafted by EIOPA to ensure the convergent application of the regulation. • Date of entry into force of Solvency II: 1 January 2014.

Omnibus II Directive and implementing measures Following the creation of EIOPA, the Solvency II Directive required revision to reflect the new supervisory structure; these revisions will form part of the Omnibus II Directive (OMDII). OMDII will introduce into the Solvency II Directive the necessary regulatory and supervisory powers for EIOPA to discharge its responsibilities.

P a g e | 33



In addition, OMDII also includes transitional measures allowing gradual implementation of Solvency II. This extension means that the beginning of the regime would be aligned with the end of the financial year for most insurance undertakings. During 2011 EIOPA continued to provide technical and analytical support to the Commission and gave further input to clarify its previous advice on the development of the implementing measures for Solvency II. While deliberations were taking place in the European Parliament and the Council of the European Union on OMDII, the Commission, Member States and stakeholders also examined the draft implementing measures. Key areas under discussion were the sustainability of long-term insurance

guarantees, the volatility of elements in undertakings’ solvency balance

sheets, and reporting and disclosure requirements.

Standards and guidelines In 2011, EIOPA focused on preparing the final set of regulatory measures, the draft standards and guidelines. Solvency II will be one of the first projects to benefit directly from EIOPA’s regulatory powers to draft standards and subsequently to ensure consistent implementation of legislation through binding mediation and oversight of Colleges of Supervisors. Until there is agreement on the proposals for OMDII Directive, EIOPA will not have complete certainty on the scope of its powers for drafting the standards for Solvency II and the detail of the regulatory provisions which the standards and guidelines are intended to support. Consequently, it was important for EIOPA to monitor the various OMDII proposals and thus identify the standards which the Authority expects it will have to draft before Solvency II enters into force on 1 January 2014.

P a g e | 34



During 2011, EIOPA also identified those areas in which it is essential to have guidelines in place before the entry into force of Solvency II. EIOPA is committed to effective consultation and communication with its stakeholders to improve the quality of the regulatory provisions and assist the industry in preparing for the new regime. Subject to the conclusion of the negotiations on OMDII and the implementing measures, EIOPA plans public consultation on the packages of draft standards and guidelines during 2012. In 2011, EIOPA launched official public consultations in two areas in which early discussion with and preparation by the industry are particularly important. These consultations were on the draft standards and guidelines on reporting and disclosure, and on guidelines on Own Risk and Solvency Assessment (ORSA).

In other areas, EIOPA continued its informal pre‑ consultations with selected stakeholders (European Insurance and Reinsurance Federation (CEA), Association of Mutual Insurers and Insurance Cooperatives in Europe (AMICE), Chief Risk Officers (CRO) Forum and Chief Financial Officers (CFO) Forum, Groupe Consultatif Actuariel Europeen), thus having an ongoing dialogue with the industry ahead of the public consultation. A number of other initiatives were set up specifically to improve EIOPA’s cooperation and exchange of information with its stakeholders. Several task forces completed their work in 2011, which resulted in the publication of the “Report on the Calibration Factors in the Standard Formula of Solvency II” and the “Report of the Task Force on Expected Profits arising from Future Premiums”. Finally, following the creation of EIOPA’s Insurance and Reinsurance Stakeholder Group, EIOPA actively involved its members in major aspects of Solvency II.

P a g e | 35



Areas in which EIOPA prepared draft standards and guidelines during 2011: • Solvency capital requirements for standard formula as well as for internal model users; own funds; valuation of technical provisions; valuation of assets and liabilities. • Group supervision. • Supervisory transparency and accountability, reporting and disclosure, external audit. • Governance, ORSA. • Supervisory review process; capital add-ons; extension of recovery

period (‘Pillar 2 dampener); finite reinsurance; special purpose vehicles.

Quantitative Impact Study 5 One of the key achievements of EIOPA in 2011 was completion of the report on the Fifth Quantitative Impact Study (QIS5) in March 2011. The results of the QIS5 exercise were taken into account in discussions on the implementing measures and are being reflected in the drafting of standards and guidelines.

The QIS5 exercise In March 2011, EIOPA delivered to the European Commission a report on the results of the fifth pan-European quantitative impact study organised to inform policymakers on the potential effects of the detailed implementing measures which are being drafted for the Solvency II regulatory framework. More than 2 500 individual undertakings and 160 groups from the 30

P a g e | 36



members of the European Economic Area participated voluntarily in this simulation exercise, providing detailed quantitative and qualitative inputs on the various elements of the future regulation. The study confirmed that overall the industry remained well capitalised under the draft provisions and options tested. The study gathered useful input on transitional provisions for discounting, the grandfathering of specific elements of own funds, and the transitional equivalence of third-country regimes, for example. Valuable insight was gained about the characteristics of internal models under development by undertakings, the difficulties in calculating the loss - absorbing capacity of technical provisions and deferred taxes, and the potential impact of the introduction of an illiquidity premium in the valuation of technical provisions. The study also covered the treatment of participations; it gathered information on the relevance of expected profit in future premiums, and on the group solvency assessment under the consolidation and deduction and aggregation methods. The study results highlighted the areas in which further work would be desirable. This was then initiated by EIOPA as follows: definition of contract boundaries in the valuation of technical provisions; the need to reduce complexity in certain areas; developments in the calibration of catastrophe risk; and the treatment of long-term guarantees in the context of Solvency II. A particular topic – the refinement of factors used in non-life underwriting and health non - similar to life underwriting risk modules – was addressed by specific data collection in the QIS5 exercise. The data were analysed using a methodology drawn up by a task force of supervisors, actuaries and industry representatives.

P a g e | 37



For most business lines, the report published in December 2011 facilitated joint recommendations for amendments of the factors used in the QIS5 exercise. EIOPA’s current and future work on the development of draft technical standards and guidelines for Solvency II will benefit greatly from the lessons learned during the QIS5 exercise, in particular by enhancing the practicability and feasibility of the rules for a single rule book of standards and guidelines to ensure convergent application of the new system.

Standard formula capital requirements EIOPA prepared draft standards and guidelines on the approval process and data quality for undertaking-specific parameters for solo undertakings and groups; methods for the calculation of undertaking-specific parameters for solo undertakings; the loss-absorbing capacity for deferred taxes and technical provisions; and standard capital requirements for health underwriting risk. Informal pre - consultations will be launched and further draft standards and guidelines developed in 2012. One key area in which EIOPA delivered further advice to the Commission was the calibration of the non-life underwriting risk module. The advice was based on a European-wide data request to the industry launched in September 2010, and on discussions with industry representatives and the European Commission to consider the most appropriate calibration methodologies. The results of this work were published in December 2011. In the area of catastrophe risk, following discussions with the industry, EIOPA made its final recommendation on a number of outstanding non-life and health catastrophe risk issues for the implementing measures. In the second half of 2011, EIOPA continued working with

P a g e | 38



industry representatives on zoning and reinsurance standards, as well as on catastrophe risk guidelines.

Technical provisions Informal pre-consultations were held on actuarial guidelines for the valuation of technical provisions. EIOPA began developing the draft standard on the risk-free interest rate curve and contract boundaries. For the first time, the European Commission tested in QIS5 a risk-free interest rate term structure which included a so-called illiquidity premium. The term structure was based on an adjusted swap rate, and a new extrapolation method was applied for long maturities. During 2011, discussions continued on adjustments to the risk-free rate following the QIS5 results and on the sustainability of long - term insurance guarantees. EIOPA participated in these discussions organised by the European Commission with Member State and industry representatives. Proposals emerged from Member States and industry on new adjustments, the so-called counter-cyclical premium and the matching premium. These proposals were analysed by EIOPA in the context of developing a standard for the risk - free rate that EIOPA will define and publish. Discussions are expected to continue in 2012.

Valuation of assets and liabilities (excluding technical provisions)

P a g e | 39



Informal pre-consultations were held on draft standards and guidelines concerning the valuation of assets and liabilities. This included guidelines on the use of mark-to-model techniques and the compatibility of International Financial Reporting Standards (IFRS) with Solvency II. During 2011, EIOPA also contributed to the process of IFRS standard-setting and subsequent EU endorsement of those standards. Reporting and disclosure In 2011, EIOPA launched a public consultation on its draft guidelines and standards for reporting and disclosure. This marked the end of an ongoing and fruitful process of informal consultation with stakeholders since 2009. Due to the importance of harmonised reporting requirements for the Solvency II project, and also for other areas of EIOPA’s work, such as financial stability and the level of preparation that will be required from the industry, one of EIOPA’s key aims is to arrive at stable reporting requirements as soon as possible. Further discussions on specific aspects of the reporting templates and the frequency of reports are expected to continue in the first half of 2012.

Governance and risk management requirements Informal pre-consultations were held on standards for governance, including ORSA (the latter issue was also subject to public consultation later on). EIOPA began developing draft standards and guidelines on transparency and accountability of supervisory authorities and the supervisory review process, capital add-ons and extension of the recovery period in deteriorating market conditions as well as on external audit.

P a g e | 40



Own funds Informal pre-consultations were held on draft standards and guidelines for ancillary own funds and the classification of own funds. Further work was carried out on the treatment of participations and ring-fenced funds.

Internal models Informal pre-consultations were held on draft standards and guidelines for the following: application processes for internal models; policies for changing the model; partial internal models; use tests; expert judgments; probability distribution forecasts (PDF); and consistency between the methodology used for the PDF calculation and the methodology used for valuation of assets and liabilities (e.g. the calculation of technical provisions, approximations for calibrations, profit and loss attributions, validation policy and validation tools, documents and the use of external models). Following the publication in 2010 of guidelines supporting the pre-application process for internal models, EIOPA monitored the activities of supervisors and industry, using this opportunity to check the day-1 applicability of internal models. This included informal practical meetings of supervisors involved in the pre-application process.

Insurance stress test At the end of March 2011, EIOPA launched the second Europe-wide stress test for the insurance sector, which was followed in mid-August by a satellite exercise assessing the effects of a prolonged period of low interest rates.

P a g e | 41



This satellite exercise is often referred to as the “lowyield stress test”, and while it was planned in conjunction with the core stress test, its launch was postponed to ease the workload of participating undertakings. In accordance with its regulation, EIOPA shall conduct stress test exercises for the insurance and IORPs sectors at least once a year. The 2011 core and low-yield stress test exercises were to assess the strength of individual institutions and evaluate the overall resilience of the industries to several clearly defined adverse economic and financial market environments. The core stress test was launched in March 2011 based on data as of 31 December 2010, and the aggregated results of the exercise were published in July 2011. Of the 221 insurance and reinsurance groups and undertakings covered, 58 groups and 71 single entities reported results to EIOPA, representing approximately 60% of the whole European insurance market. The results of the stress test exercise confirmed that the insurance market in Europe as represented by the 129 participating entities is robust and is well prepared for potential future shocks. Data showed that approximately 10% (13) of the groups and undertakings which responded did not meet the minimum capital requirement (MCR) in the adverse scenario. A total of 8% (10) failed to meet the MCR in the inflation scenario. Overall, EIOPA identified the main drivers of the results as adverse developments in equity prices, interest rates and sovereign debt markets. On the liability side, non - life risks were more critical, triggered by increased claims inflation and natural disasters. Risks from sovereign bond exposures were covered separately in a supplementary test and the results showed that approximately 5%

P a g e | 42



(6) of the participating groups and undertakings would not meet the MCR. The satellite exercise was launched after the EIOPA 2011 core stress test exercise. This was to analyse the risks that European insurers would face in a scenario where interest rates remained low for a prolonged period of time, and to understand the development of insurers’ capital positions in adverse economic conditions, as well as to evaluate the overall stability of the insurance market.

79 It was targeted at those insurers that are exposed to interest-rate sensitive products, since a low-interest scenario would significantly jeopardise the ability of these undertakings to meet the performance guarantees provided in certain insurance contracts. For this reason, compared to the scope of the core stress test, the sample of reporting undertakings was slightly reduced to 82 in total. Otherwise, the setup of the low-yield stress test was identical to the core test, i.e. valuations were based on Solvency II/QIS5 technical specifications, and the reference date was 31 December 2010. Based on these results, EIOPA concluded that, on average, the industry would be adversely affected by a prolonged period of low yields. Depending on the particular shape that such a low-yield curve would take and where the low yields were located along the curve, results suggest that 5%-10% of the insurers included in the test would face severe problems in the sense that their solvency ratio would fall below 100%. In addition, an increased number of insurers would see their capital position deteriorate with solvency rates only slightly above the 100% mark, meaning they could become vulnerable to other potential external shocks.

P a g e | 43



Risk dashboard In October 2011, the EIOPA FSC set up its first (pilot) risk dashboard, in line with the framework of the joint group on the cooperation between the ESAs and the ESRB on systemic risk. As part of the new European supervisory legislation, EIOPA, the other ESAs and the ESRB are called upon to “develop a common set of quantitative and qualitative indicators (risk dashboard) to identify and measure systemic risk”. This dashboard should be constructed as a joint effort of the ESAs and the ESRB to give a structured view of risks to the financial sector and thus to facilitate a regular assessment of these risks and possible mitigation policies. It is envisaged that the risk dashboards of the various institutions be discussed at ESRB meetings (General Board and/or Advisory Technical Committee) to assess systemic risk. The two main outputs required are risk vulnerabilities and solvency profitability (meaning the ability to withstand shocks). A first pilot risk dashboard has been approved by EIOPA but is still in a development phase and needs to be further refined and finalised after completion of the quality control phase. As far as the methodology is concerned, the EIOPA risk dashboard is based both on public sources (market data) and the confidential quarterly fast-track reporting from the 30 largest European insurance groups and it contains both quantitative and qualitative indicators. Data availability for dashboard purposes is expected to further improve with the introduction of Solvency II reporting from 2014 onwards. A set of some 50 quantitative indicators form the basis of the risk assessment, and these are mapped into aggregated categories that are also used by the other ESAs.

P a g e | 44



These are macro risk, credit risk, market risk, funding and liquidity risk, profitability and solvency interlinkages and imbalances, and a specific category for insurance risk. The risk dashboard is then obtained through the mechanical aggregation of these indicators and additional expert judgment which is important for filtering out noise from the data and producing credible risk assessments. The risk dashboard will be shown in the form of a graph with colour coding. In addition to work on the risk dashboard, EIOPA launched several initiatives during 2011 to improve market monitoring. For example, a daily financial market monitor was launched, and this is now produced and circulated among EIOPA Staff and EIOPA FSC Members. A more comprehensive bi-weekly briefing containing risk assessments and market analysis was also developed, and regular production of this briefing is planned for 2012.

Oversight During 2011 EIOPA undertook significant work in relation to insurance groups under the current regime (Solvency I), whilst in parallel preparing itself for the Solvency II framework. This has included initiatives to harmonise and streamline group supervision for cross-border groups and enhance co-operation between supervisors within the Colleges of Supervisors. EIOPA has started to attend the meetings of Colleges of Supervisors since the beginning of 2011, and this has been a vital mechanism for helping supervisors to prepare for the entry into force of Solvency II, in particular with regard to the pre-applications for internal models.

P a g e | 45



In March EIOPA published its report on the functioning of colleges, and also the targets to be achieved during 2011, as included in EIOPA’s 2011 Action Plan for Colleges of Supervisors. The overall strategic target of EIOPA’s College work is to consolidate the position of the EEA supervisory community vis-a-vis the cross-border operating insurance groups for the benefit of both group and solo supervision. The focus is on combining and leveraging the knowledge and forces of the national supervisory authorities in the EEA to form a strong and equal supervisory counterpart to the mostly centrally organised and managed undertakings. In this respect, EIOPA as a member of the Colleges of Supervisors (“Colleges”) promotes communication, cooperation, consistency, quality and efficiency in the Colleges. In 2011, 89 insurance groups with cross-border undertakings were registered in the EEA. During the year, Colleges of Supervisors with at least one physical meeting or teleconference were organised for 69 groups. A total of 14 national supervisory authorities acted as group supervisors to organise the events. Some 6 Colleges were chaired by the Swiss Financial Market Supervisory Authority (FINMA) as group supervisor. During the setup phase in the first year after its establishment, EIOPA attended College meetings and/or teleconferences of 55 groups.

The main conclusions from EIOPA’s observation in the Colleges in 2011

are as follows: • Substantial efforts were made by supervisors in preparing, organising and contributing to the College;

P a g e | 46



• The exchange of the QIS5 and stress test results in most of the Colleges enhanced the quality of the discussions and improved the supervisors’ common understanding of the undertakings’ risk exposure and solvency position; • Similarly, the discussion of financial conglomerate aspects, where relevant, helped to improve College members’ awareness of the financial strength of the groups as a whole; • Concerns or legal constraints in some Member States relating to the exchange of confidential information hampered the scope and quality of discussions in the Colleges; • Differences observed between the Colleges regarding: - Scope, content and the frequency of information exchange in the Colleges,

- Preparation and focus of presentations and discussions with the firms’ representative are areas for improvement in implementing an EEA-wide consistent, coherent and effective supervision for cross-border groups; • The emergency infrastructure test was successfully completed by most of the Colleges; • The Colleges are making great efforts to prepare for the implementation of the Solvency II Directive, in particular the pre-application process for use of an approved internal model.

Participation in Colleges by EIOPA staff During 2011, five full-time equivalent staff were recruited to constitute EIOPA’s College team. A coordinator had been appointed at the beginning of 2011 to prepare a strategy for EIOPA and to kick off EIOPA’s participation in the Colleges.

P a g e | 47



EIOPA staff’s commitment to the Colleges focused primarily on the following issues: • To explain EIOPA’s role in the Colleges; • To gain experience from participating in College meetings for the first year; • To monitor the collaboration of College members regarding the appropriate information exchange and the discussion of relevant topics in the College; • To provide input into the agenda and stimulate information exchange within Colleges on stress test results and the dialogue on risk exposure, financial strength and resilience to adverse economic and financial market developments; • To provide regular updates on the working assumptions in light of the still pending decisions on the Solvency II timelines; • To act as a link between the Colleges and Solvency II Working Groups and provide practical input into Solvency II policy work. During 2011, EIOPA staff observed overall significant differences in the level of information exchange. Areas for improvement include in particular a continuous and effective information exchange, as well as discussion and assessment of risks by taking a more prospective view.

EIOPA’s Action Plan 2012 for Colleges was established taking into account the experience and conclusions from College work in 2011.

Crisis Management In early 2011, a set of interim procedures for dealing with emergency situations was drawn up by EIOPA in conjunction with the other ESAs.

P a g e | 48



A seconded national expert in crisis management was appointed in March 2011, and work then commenced on the development of a permanent framework for crisis management for EIOPA. Key to this was the development of a strategic policy on crisis management that was presented to the Board of Supervisors in June 2011. The Board of Supervisors recognised the need to put a robust framework

in place at an early stage, and an ad hoc Board of Supervisor’s task force

was created to develop this framework. In December 2011, the task force delivered a comprehensive, decision-making framework which was endorsed by the Board of Supervisors. This framework sets out in detail the processes that EIOPA will follow in discharging its crisis pre-emption and management responsibilities under the EIOPA Regulation. A small standing group was created, comprising EIOPA members and staff, that will consider on a regular basis whether EIOPA needs to act under the Regulation and what actions it may take. This approach is seen as the most efficient way of carrying out regular monitoring and preparing Board of Supervisors’ decisions on crisis management issues.

EIOPA Work Programme 2012 In 2012 EIOPA will already operate as a fully-fledged European agency, however many of the processes and procedures have to be refined or adapted to the growing organisation and new responsibilities. The Work Programme sets out the goals and deliverables for the second year of operations.

P a g e | 49



Regulatory tasks In 2012, EIOPA will deliver draft implementing and regulatory technical standards as well as guidelines in the different work streams, according to specific needs to complement the principles and regulations issued by the European Commission. The concrete scope and timing of these deliverables depend on the final decision on the Omnibus II Directive (OMDII) as well as on the approval of the final Delegated Acts implementing Solvency II. In 2012, EIOPA will prepare its final advice to the European Commission on the review of the Directive on the activities and supervision of institutions for occupational retirement provision (IORP Directive). EIOPA will then develop specifications and carry out a targeted quantitative impact study (QIS) exercise in order to support the Commission’s proposal for a revised IORP Directive. EIOPA will contribute to the revision of the Insurance Mediation Directive (IMD), by providing a respective advice to the European Commission.

Supervisory tasks EIOPA will continue to participate in the work of Colleges of Supervisors and will specifically promote frequent information exchange and discussion on risks. To promote the exchange of information in a safe and sound manner within Colleges of Supervisors, EIOPA will give priority to its work on the implementation of a common IT solution for the secure exchange of information within Colleges, also in crisis times, with the aim to have the tool ready in 2012. In the course of 2012 EIOPA will launching three peer reviews on the following topics: supervision of branches of EEA insurance entities,

P a g e | 50



supervisory aspects of the pre-application of internal models and supervisory powers to obtain information and intervention regarding IORPs.

Consumer Protection and Financial Innovation EIOPA will further develop and pursue its leading role in promoting transparency, simplicity and fairness in the market for consumer financial products and services across the internal market. This will be done by developing more standardised and comparable information about the risks and costs of products, relevant regulatory requirements and complaints handling procedures. The CCPFI will continue its monitoring and assessment of new or innovative financial activities, release good practices reports and, where deemed appropriate, make proposals for the adoption of guidelines and recommendations with a view to promoting the safety and soundness of markets and convergence of regulatory practice.

Financial Stability EIOPA will carry out a harmonised, pan-European stress test for the insurance sector in cooperation with the ESRB, the ECB and EBA. In autumn 2012 EIOPA will deliver an annual assessment of sector developments, highlighting implications for financial stability, with a provisional report in the spring of 2012, outlining main market trends since the end of 2011. The Authority will also further develop and monitor a risk dashboard in cooperation with the ESRB and other ESAs.

Crisis management EIOPA will continue to develop its crisis management framework with the focus on the pre-emption element and analytical tools to be used in decision- making.

P a g e | 51



Later in 2012 a simulation exercise to test the operation of the new framework will be carried out. EIOPA will also contribute to the work of the European Commission in developing crisis management proposals for insurance, along with the work of the IAIS on resolution tools for systemically important insurance undertakings.

External Relations EIOPA’s view is elaborated with the Members’ support and set forth in the relevant committees of IAIS. Particular focus will be given to raise EIOPA’s voice in the IAIS Executive Committee and to promote the Common Framework for the Supervision of Internationally Active Insurance Groups (ComFrame). At the same time, EIOPA will continue to develop its international relations by holding regulatory dialogues and maintaining a close contact with third countries including the US, China, Japan and Latin America. EIOPA will also continue to assist the European Commission in preparing equivalence decisions pertaining to supervisory regimes in third countries by way of producing final, fully consulted upon advice.

Joint Committee In 2012 the Joint Committee will further develop its work in the subcommittees on financial conglomerates, on cross sector developments, risks and vulnerabilities on anti-money laundering and on consumer protection and financial innovation. The exchange of information with the ESRB will also be further developed.

P a g e | 52



List of the Members and Observers of the EIOPA Board of Supervisors

P a g e | 53



P a g e | 54



NUMBER 3

Board of Governors of the Federal Reserve System Federal Deposit Insurance Corporation

Office of the Comptroller of the Currency

For immediate release August 27, 2012

Credit Risk in the Shared National Credit Portfolio Declines, but Remains High

The credit quality of large loan commitments owned by U.S. banking organizations, foreign banking organizations (FBOs), and nonbanks improved in 2012 for the third consecutive year, according to the Shared National Credits (SNC) Review for 2012. A loan commitment is the obligation of a lender to make loans or issue letters of credit pursuant to a formal loan agreement. The volume of criticized loans remained high at $295 billion compared with levels before the financial crisis, but declined 8.1 percent from 2011. A criticized loan is rated special mention, substandard, doubtful, or loss. Reasons for improvement in credit quality included better operating performance among borrowers, debt restructurings, bankruptcy resolutions, and ongoing access to bond and equity markets. Despite this progress, poorly underwritten loans originated in 2006 and 2007 continued to adversely affect the SNC portfolio. While the overall quality of underwriting of SNCs that were originated in 2011 was significantly better than in 2007, some easing of standards was noted, specifically in leveraged finance credits, especially compared with the relatively tighter standards present in 2009 and the latter half of 2008.

P a g e | 55



Refinancing risk eased during the past year as 37.1 percent of SNCs will mature over the next three years compared with 63.4 percent for the same time frame in the 2011 SNC Review. The federal banking agencies expect banks and thrifts to originate syndicated loans using prudential underwriting standards, regardless of their intent to hold or sell them. SNCs that are poorly underwritten will be subject to regulatory criticism or classification during annual SNC reviews. The federal banking agencies expect to finalize revised guidance on leveraged lending to form the basis of the agencies' supervisory focus and review of supervised financial institutions involved in leveraged lending. Although nonbank entities, such as securitization pools, hedge funds, insurance companies, and pension funds, owned the smallest share of loan commitments, they owned the largest share (62.4 percent) of classified credits (rated substandard, doubtful, or loss). In other highlights of the review:

Total SNC commitments increased 10.6 percent from the 2011 review to $2.79 trillion. Total SNC loans outstanding increased $125 billion to $1.24 trillion, an increase of 11.2 percent.

Criticized assets represented 10.6 percent of the SNC portfolio, compared with 12.7 percent in 2011.

Classified assets declined 8.8 percent to $196 billion in 2012 and represented 7 percent of the portfolio, compared with 8.5 percent in 2011.

Credits rated special mention, which exhibited potential weakness and could result in further deterioration if uncorrected, was largely unchanged at $99 billion in 2012, representing 3.6 percent of the portfolio.

P a g e | 56



Adjusted for losses, nonaccrual loans declined to $81 billion from $91 billion, an 11.1 percent reduction.

The distribution of credits across entities--U.S. banking organizations, FBOs, and nonbanks--remained relatively unchanged. U.S. banking organizations owned 43.2 percent of total SNC loan commitments, FBOs owned 36.9 percent, and nonbanks owned 19.8 percent. The share owned by nonbanks declined for the second consecutive year. Nonbanks continued to own a larger share of classified (62.4 percent) and nonaccrual (66.4 percent) assets compared with their total share of the SNC portfolio. Institutions insured by the Federal Deposit Insurance Corporation owned 13.4 percent of classified assets and 9.5 percent of nonaccrual loans.

The media and telecommunications industry group led other industry groups in criticized volume with $66 billion. Finance and insurance followed with $34 billion, then utilities with $30 billion. Although these groups had the largest dollar volume of criticized loans, the three groups with the highest percentage of criticized loans were entertainment and recreation (28.3 percent), media and telecommunications (24.6 percent), and transportation services (22.7 percent). Each of these industry groups saw declines in the share of criticized loans from a year ago.

The SNC program was established in 1977 to provide an efficient and consistent review and analysis of SNCs.

A SNC is any loan or formal loan commitment, and any asset such as real estate, stocks, notes, bonds, and debentures taken as debts previously contracted, extended to borrowers by a federally supervised institution, its

P a g e | 57



subsidiaries, and affiliates that aggregates to $20 million or more and is shared by three or more unaffiliated supervised institutions.

Many of these loan commitments are also shared with FBOs and nonbanks, including securitization pools, hedge funds, insurance companies, and pension funds.

In conducting the 2012 SNC Review, agencies reviewed $811 billion of the $2.79 trillion credit commitments in the portfolio.

The sample was weighted toward noninvestment grade and criticized credits.

The results of the review are based on analyses prepared in the second quarter of 2012 using credit-related data provided by federally supervised institutions as of December 31, 2011, and March 31, 2012.

P a g e | 58



NUMBER 4

Progress note on the Global LEI Initiative This is the first of a series of notes on the implementation of the legal entity identifier (LEI) initiative. The G-20 in Los Cabos endorsed the FSB recommendations and asked the Board to take forward the work to launch the global LEI system by March 2013. Progress reports on the LEI initiative will be prepared approximately every three weeks. Implementation Group: The FSB set up an Implementation Group (IG) to take forward the work. The IG comprises 55 experts from the global regulatory community, and includes members from 20 jurisdictions, as well as representatives from standard setters and international financial institutions. There are three main workstreams: - legal and governance; - operations; and - corporate hierarchy data.

A co-ordination group of 5-7 members guides each work stream, providing a geographic balance. Private Sector Preparatory Group (PSPG): A call for members of a private sector expert group to collaborate on the work solicited widespread interest – about 170 members from almost 30 jurisdictions are participating actively in the group.

P a g e | 59



Following an inaugural meeting in New York on 25 July, working groups have been set up to provide input in each of the three main areas, facilitated by members of the IG. A dedicated secure web based forum has been launched for communication and knowledge sharing, hosted by the Cleveland Federal Reserve. Charter for the Regulatory Oversight Committee (ROC) and other Governance Issues: A key task for the IG is to prepare a draft Charter for the ROC for approval by the FSB in October and G20 in November. A first full draft will be reviewed by the IG in early September, prior to review by the Steering Committee in mid - September. The IG is working through a number of challenging issues, including: delivery of adequate regulatory enforcement power over the global system by the ROC; membership criteria (including the treatment of sub-national regulatory bodies and international bodies); decision making if consensus cannot be reached; what is an appropriate minimum regionally balanced quorum of support from authorities to launch the system that ensures balanced representation of early, medium and late movers; and the structure of the not-for-profit Global LEI Foundation (the legal form of the operational element of the LEI system). The choice of location and hence jurisdiction for the Foundation will have an important influence on the legal framework for the LEI system, including possibly the legal form of the ROC and the means available for expressing governance: the FSB Secretariat is seeking pro bono advice from legal experts on the location issue by early September. To facilitate the ultimate acceptance of the Charter by the FSB Plenary, IG members are seeking feedback from legal staff on the document as work proceeds. Operations: The private sector has a key role in the operational implementation of the

P a g e | 60



system: the Central Operating Unit (COU) of the system will be formed via the establishment of a not-for-profit global LEI foundation under the oversight of the ROC. A number of the PSPG Working Groups are focusing on operational aspects – a structured framework (Enterprise Architecture) is being used to organise the work. Early results will be reviewed in October. A number of potential Local Operating Units (LOUs) are involved in the analysis of operational solutions to ensure that the proposed model is acceptable to participants around the world. Ownership and Hierarchy data: An important short term objective is to develop concepts and plans for extending the basic data on entity identification (which will be available when the system is launched) to include information on corporate ownership and other relationships. The extension is necessary to support risk aggregation and consolidation and thus capture the full benefits of the LEI system. Additional data, however, implies an expansion of scope and thus the benefits and costs of any particular extension must be considered carefully. The IG is working closely with the PSPG to develop preliminary recommendations by end-2012. Early movers: The CFTC announced on July 24 that DTCC/SWIFT had been designated as the provider of CFTC Interim Compliant Identifiers (CICIs) for a limited period of two years. The CFTC also confirmed that the Commission plans to adopt the governance principles and LEI reference data requirements endorsed by the FSB, and that once these steps are completed the CICI system will subsequently transition into the global LEI.

P a g e | 61



IG members are currently reviewing a number of technical issues to ensure that decisions by early movers do not have an adverse impact on the costs or operational flexibility of the global system, for instance by locking the future global LEI system into early, local technical system design choices.

P a g e | 62



NUMBER 5

OCC Updates Stress Testing Implementation Timeline

WASHINGTON — The Office of the Comptroller of the Currency (OCC) today announced it is considering changes to the implementation timeline for the company-run stress testing required by the Dodd-Frank Wall Street Reform and Consumer Protection Act. The changes under consideration would delay implementation until September 2013 for covered institutions with total consolidated assets between $10 billion and $50 billion. On January 24, 2012, the OCC published in the Federal Register a notice of proposed rulemaking to implement section 165(i) of the Dodd-Frank Act, which would require certain financial companies, including certain national banks and federal savings associations, to conduct annual stress tests in accordance with regulations prescribed by the OCC. In the notice of proposed rulemaking, the OCC stated that “[a] national bank or federal savings association that is a covered institution shall be subject to this part on [the effective date of the rule] and will conduct its first stress test under this part using financial statement data as of September 30, 2012, with results reported as required under this part in January 2013.” The OCC received a number of comments on the proposed immediate effective date identifying concerns about resources, readiness, and ability to conduct stress tests given the likely short period between publication of a final rule and the start of the stress-testing process. A key priority in implementing this section of the Dodd-Frank Act is to ensure that banks have robust systems and processes to conduct the stress tests.

P a g e | 63



In response to the concerns expressed in comments, the OCC is considering delaying the effective date of the rule to conduct the annual stress tests for certain institutions. The proposed delay would help ensure that all covered institutions have sufficient time to develop sound stress testing programs. Specifically, the OCC is considering a timeline under which covered institutions with assets from $10 to $50 billion would be required to conduct initial stress tests in accordance with the rule in late 2013. The OCC is considering requiring covered institutions with assets greater than $50 billion to begin conducting annual stress tests under the rule this year, although the OCC would maintain its reservation of authority to allow covered institutions above $50 billion to delay implementation on a case-by-case basis where warranted. As part of efforts among the federal banking agencies to coordinate the implementation of Dodd-Frank stress test requirements, the OCC has consulted on this proposed implementation delay with the Federal Reserve Board (Board) and the Federal Deposit Insurance Corporation (FDIC). The Board and FDIC are considering similar changes to timelines included in their proposed rules implementing Dodd-Frank stress test requirements. The final implementation timeline for all covered institutions will be specified in the final rule.

Note:

Section 165(i) of the Dodd-Frank Act created two types of stress testing requirements: stress tests conducted by the company and stress tests conducted by the Board of Governors of the Federal Reserve System (“Board”). Section 165(i)(2) requires certain financial companies, including national banks and Federal savings associations, to conduct stress tests and

https://www.federalregister.gov/articles/2012/01/24/2012-1274/annual-stress-test#footnote-1

P a g e | 64



requires the primary financial regulatory agency of those financial companies to issue regulations implementing the stress test requirements. A national bank or Federal savings association is subject to the stress test requirements if its total consolidated assets are more than $10 billion. Under section 165(i)(2), a financial company is required to submit to the Board and to its primary financial regulatory agency a report at such time, in such form, and containing such information as the primary financial regulatory agency may require. The primary financial regulatory agency is required to define “stress test,” establish methodologies for the conduct of the company - conducted stress test that must include at least three different sets of conditions (baseline, adverse, and severely adverse), establish the form and content of the institution's report, and compel the institution to publish a summary of the results of the Dodd-Frank institutional stress tests. In general, section 165 of the Dodd-Frank Act sets forth a number of requirements and responsibilities for the Board related to supervision and prudential standards for nonbank financial companies and bank holding companies with total consolidated assets equal to or greater than $50 billion. In addition to the company stress tests required under section 165(i)(2), section 165(i)(1) requires the Board to conduct annual analyses of nonbank financial companies supervised by the Board and bank holding companies with total consolidated assets equal to or greater than $50 billion to determine whether such companies have the capital, on a total consolidated basis, necessary to absorb losses as a result of adverse economic conditions. The Board published a proposed rule implementing this supervisory stress testing on January 5, 2012.




P a g e | 65



As required by section 165(i)(2), this proposed rule implements the company-conducted stress test requirements for national banks and Federal savings associations. Under this proposed rule, a national bank or a Federal savings association with total consolidated assets of more than $10 billion, defined as a “covered institution,” would be required to conduct an annual stress test as prescribed by this proposed rule. The OCC is developing this rule in coordination with the Board and the Federal Insurance Office, as required by section 165(i)(2)(C). The Board and Federal Deposit Insurance Corporation (“FDIC”) are planning to issue separate proposed rules with respect to their supervised entities. For purposes of this rule, the proposed rule defines a stress test as a process to assess the potential impact of hypothetical economic conditions (“scenarios”) on the capital of a covered institution over a set period (the “planning horizon”), taking into account the current condition of the covered institution including its material risks, exposures, strategies, and activities.

The Purpose of Stress Tests

The OCC views the stress tests conducted by covered institutions under the proposed rule as providing forward-looking information to supervisors to assist in their overall assessments of a covered institution's capital adequacy and to aid in identifying downside risks and the potential impact of adverse outcomes on the covered institution's capital adequacy. In addition, the OCC may use stress tests to determine whether additional analytical techniques and exercises are appropriate for a covered institution to employ in identifying, measuring, and monitoring risks to the financial soundness of the covered institution, and may require a covered institution to implement such techniques and exercises in conducting its stress tests.

P a g e | 66



Further, these stress tests are expected to support ongoing improvement in a covered institution's stress testing practices with respect to its internal assessments of capital adequacy and overall capital planning. The OCC expects that the annual stress tests required under the proposed rule would be only one component of the broader stress testing activities conducted by covered institutions. In this regard, the OCC notes that the federal banking agencies have recently issued for public comment proposed joint guidance on “Stress Testing for Banking Organizations with More Than $10 Billion in Total Consolidated Assets.” These broader stress testing activities should address the impact of a range of potentially adverse outcomes across a set of risk types affecting aspects of the covered institution's financial condition other than capital adequacy. In addition, a full assessment of a covered institution's capital adequacy must take into account a range of factors, including evaluation of its capital planning processes, the governance over those processes, regulatory capital measures, results of supervisory stress tests where applicable, and market assessments.

P a g e | 67



NUMBER 6

Security First: New NIST Guidelines on Securing BIOS for Servers

From NIST Tech Beat: August 21, 2012

The National Institute of Standards and Technology (NIST) is requesting comments on new draft guidelines for securing BIOS systems for server computers.

BIOS—Basic Input/output System—is the first major software that runs when a computer starts up.

Both obscure and fundamental, the BIOS has become a target for hackers.

Server manufacturers routinely update BIOS to fix bugs, patch vulnerabilities or support new hardware.

However, while authorized updates to BIOS can improve functionality or security, unauthorized or malicious changes could be part of a sophisticated, targeted attack on an organization, allowing an attacker to infiltrate an organization's systems or disrupt their operations.

BIOS attacks are an emerging threat area.

In September, 2011, a security company discovered the first malware designed to infect the BIOS, called Mebromi.

An important mechanism for protecting BIOS in servers is to secure the BIOS update process, guarding against unauthorized BIOS updates.

NIST's 2011 publication on BIOS security provided instructions for protecting BIOS in desktops and laptops.

The guidelines focused on the core principles of authenticating updates using digital signatures, BIOS integrity protection and

P a g e | 68



"non-bypassibility" features that ensure that no mechanisms circumvent the BIOS protections.

BIOS Protection Guidelines for Servers addresses BIOS security in the varied architectures used by servers.

"While laptop and desktop computers have largely converged on a single architecture for system BIOS, server class systems have a more diverse set of architectures, and more mechanisms for updating or modifying the system BIOS," says author Andrew Regenscheid.

In addition, many servers contain service processors that perform a variety of management functions that may include BIOS updates, and this document provides additional security guidelines for service processors.

Servers require more flexibility, according to Regenscheid, because in addition to having different architectures, they are almost always managed remotely.

BIOS Protection Guidelines for Servers is written for server developers and information system security professionals responsible for server security, secure boot processes and hardware security modules.

The draft publication BIOS Protections Guidelines for Servers, (NIST Special Publication 800-147B), is available at http://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdf

Reports on Computer Systems Technology

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure.

ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology.

http://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdf

http://csrc.nist.gov/publications/drafts/800-147b/draft-sp800-147b_july2012.pdf

P a g e | 69



ITL’s responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in Federal information systems.

The Special Publication 800-series reports on ITL’s research, guidelines, and outreach efforts in information system security, and its collaborative activities with industry, government, and academic organizations.

Executive Summary

Modern computers rely on fundamental system firmware, commonly known as the system Basic Input/Output System (BIOS), to facilitate the hardware initialization process and transition control to the operating system.

The BIOS is typically developed by both original equipment manufacturers (OEMs) and independent BIOS vendors, and is distributed to end-users by motherboard or computer manufacturers. Manufacturers frequently update system firmware to fix bugs, patch vulnerabilities, and support new hardware.

This document is the second in a series of publications on BIOS protections.

The first document, SP800-147, BIOS Protection Guidelines, was released in April 2011 and provides guidelines for desktop and laptop systems deployed in enterprise environments.

In the future, NIST intends to develop a new publication providing an overview of BIOS protections for IT security professionals to be released as SP800-147rev1, and will reissue the current SP800-147 as SP800-147A at that time.

Unauthorized modification of BIOS firmware by malicious software constitutes a significant threat because of the BIOS’s unique and privileged position within the PC architecture.

P a g e | 70



Malicious BIOS modification could be part of a sophisticated, targeted attack on an organization—either a permanent denial of service or a persistent malware presence.

This document covers BIOS protections for managed and blade servers.

These types of servers contain Service Processors—specialized microcontrollers that provide administrators with an interface to manage the host server.

Servers, particularly those with Service Processors, may implement multiple BIOS update mechanisms.

Servers implementing a single BIOS update mechanism, similar to those in PC client systems, are expected to meet the guidelines in SP800-147.

The security guidelines in this publication do not attempt to prevent installation of unauthentic BIOSs through the supply chain, by physical replacement of the BIOS chip, or through secure local update procedures.

Security guidelines are specified for four system BIOS security features:

• Authenticated BIOS update mechanisms, where digital signatures prevent the installation of BIOS update images that are not authentic.

• An optional secure local update mechanism, which requires that an administrator be physically present at the machine in order to install BIOS images without authentication.

• Firmware integrity protections, to prevent unintended or malicious modification of the BIOS outside the authenticated BIOS update process.

• Non-bypassability features, to ensure that there are no mechanisms that allow the system processor or any other system component to bypass the BIOS protections.

This document also provides additional information and recommendations for implementing BIOS protections using three BIOS update mechanisms that are commonly implemented in servers.

This material is intended to help implementers design systems that meet the security requirements in this publication.

P a g e | 71



Service Processors are critical management components in many modern server designs.

They are responsible for various management features, depending on the implementation of the system.

Some, but not all, Service Processors are able to update the system BIOS.

This document describes the possible roles of Service Processors in the system BIOS update process, and describes how the security guidelines apply to systems containing these components.

P a g e | 72



NUMBER 7

Understanding threats

Statement by Dr. Kaigham J. Gabriel Deputy Director, Defense Advanced Research Projects Agency Submitted to the Subcommittee on Emerging Threats and Capabilities United States House of Representatives Interesting parts

At DARPA, we are often asked to predict the future. After all, since it was created in 1958, DARPA’s singular mission has been to create and prevent strategic surprise. Simple. Clear. Direct. It may appear that the best way to create strategic surprise is to predict what’s next. Predict with great accuracy and as far as out as possible. We hunger to know what’s next. To predict the future. But our hunger to predict is not matched by our ability to do so. In 1964, Arthur C. Clarke, science fiction writer, inventor and futurist observed: “Trying to predict the future is a discouraging and hazardous occupation, because the prophet invariably falls between two chairs. If his predictions sound at all reasonable, you can be quite sure that in 20, or at most 50 years, the progress of science and technology has made him

P a g e | 73



seem ridiculously conservative. On the other hand, if by some miracle, a prophet could describe the future exactly as it was going to take place, his predictions would sound so absurd, so far-fetched, that everybody would laugh him to scorn.” At DARPA, we believe it is not about predicting the future... it is about building it. Indeed, the technical visionaries at DARPA are not oracles—they are builders. Chairman Thornberry, Ranking Member Langevin, Members of the Subcommittee, my name is Ken Gabriel. I am the Deputy Director of the Defense Advanced Research Projects Agency. I would like to highlight some of the accomplishments of the Agency over the last 12 months and, outline the challenges we see and our intentions for the coming year. The impact from some of our work will be felt years from now. Other work is contributing sooner and is in the fight today. Regardless of where in that spectrum we are, DARPA’s work is underscored by a focus on building. Building capabilities and demonstrations at convincing scale that drive the advance of the underlying technologies and science. We innovate by building. We achieve our best, by building.

Building the future Some of the Agency’s greatest contributions— things we now take for granted and as having been inevitable were, at their inception, often considered impossible. The Internet, stealth, UAVs for example, when first proposed were described by some as impractical, far-fetched, and risky.

P a g e | 74



But these seemingly impossible things were turned to the improbable and then to the inevitable by people with vision and determination to make their vision real. A determination to build. DARPA program managers have a hunger to succeed, a sense of urgency, and a commitment to the Nation’s Security. For more than 50 years, the Agency has sought the Nation’s best, given them the resources they need, and cleared the obstacles in their way. The lifeblood of DARPA is the cadre of program managers and leadership executives that represent some of the best technical minds in the country. Professionals who put their careers in suspended animation in service to country. Accountable to the Agency, to the Department, and to our Warfighters, DARPA’s program managers are drawn from academia, industry, non-profits, the Services, and laboratories and serve for a tour of 3 to 5 years. Program managers, office directors, the Director, and the Deputy Director; all change on a regular cadence. This practice results in roughly 25 percent annual starts and exits and ensures the Agency is current with existing and emerging technological trends, encourages a continual challenging of conventional approaches, and imparts an ethic of urgency. One key continuing challenge for the Agency and, by extension, for the well-being of the Department of Defense is recruiting this talent to service. DARPA’s ability to do so demands rapid, agile and efficient hiring. In the last 2.5 years the Agency has recruited more than 75 new program managers – this has been essential to many of our efforts including DARPA’s significantly expanded cyber program and our big data efforts in support of operations in Afghanistan, among others.

P a g e | 75



DARPA has demonstrated successful and responsible use of its hiring authorities. Indeed, the Agency has been at essentially present-day personnel levels since 1992 and has never exceeded the allocated top-line number of authorized full-time equivalents. Timelines for hiring within the Agency are short and match the cadence and tempo of tours reflected above. Simply put, we cannot undertake a 6-month or even a year-long hiring activity, as is common in government, for a technical subject matter expert critically needed to undertake efforts in response to a technological shift and with other competing career opportunities. Rather, we need to sustain an efficient and expedient engagement that is naturally always within the construct of fiscal, ethical, and legal responsibilities. This is not something we can afford to risk. Together we must protect it vigorously.

Our business practices are a vital part of building. Execution is what allows the people at DARPA to build. To turn ideas into reality, the Agency must operate effectively with agility, speed, and technical and administrative integrity. DARPA executes a budget of nearly $3 billion as appropriated by Congress. It does so with approximately 120 program managers and a roughly equal number of Government support staff. Financial resources and lean business practices allow the Agency to pursue ideas that most dare not touch.

P a g e | 76



And to do so quickly. There are no entitlements to programs or people, no captive laboratories, no immutable tenets. The Agency applies a “thoughtful ruthlessness” in its dogged pursuit of the best people, ideas, and output. The breadth, urgency, and technical demands of DARPA programs are real. The innovative ideas the Agency pursues are fragile and fleeting, and the organization’s business practices must be aligned with the speed and flexibility required to pursue those ideas. The authenticity of Defense applications demands an organization dedicated to excellence in execution through all levels of management, policies, and personnel. Indeed, in the face of such pressures, creativity requires heroic intellectual leaps not just from the technical side of the organization, but equally from the support side of the organization. DARPA has support offices dedicated to essential functions that enable the mission through innovative practices that mirror the technical innovations of the Agency. In past years, Congressional oversight committees expressed concern that DARPA’s financial execution was inadequate; specifically, that DARPA was not obligating a significant fraction of the money it had requested. These concerns resulted in budget cuts and rescissions, but, as well, obligation delays meant fewer resources at work for the Department. In our 2010 written testimony, we reported on the steps the Agency had taken to improve business process and the resulting, significant improvements in financial execution.

P a g e | 77



In 2011, we maintained our emphasis on responsible and efficient financial execution. At the end of September 2011, the Agency’s obligation rate was 21 points higher (85 percent) than the 5-year average (64 percent) despite the delayed 2011 Appropriations signing. At the end of fiscal year 2011, the improved execution translated into more than $600 million in the performer community, working for the Department and Nation. Speed is part of the vibrancy of innovation and building. Better business practices are just better Government. It affects not only the performers, but the Agency too. People come to DARPA not for careers in Government, but to serve. Over the decades, this cadre has consistently delivered. The list of historical achievements is well known, long, and includes stealth, the Internet, and UAVs. Today we are working on the production of vaccines from tobacco plants measured in days rather than months; prosthetics controlled directly by thoughts; and clean-slate, convergent approaches to defensive and offensive cyber security capabilities among many other innovations.

Discouraging the fear of failure Doing things that have never been done before, building the future, comes with risk. Risk of failure. As a Department, as a Nation, we must not forget that great accomplishments often had failure along the path. We cannot fear it.

P a g e | 78



The history of the Corona program and imaging satellites tells us that it took 13 launches over several years before the first images were collected. Thirteen. Each of the other 12 launches failed to collect a single image. No doubt, some at the time called them failures. But each of those 12 launches informed the next build and successively created the capability of imaging satellites from what seemed impossible, to just improbable and, eventually, inevitable. The first successful flight in 1960 covered 1.65 million square miles of Soviet territory—more than all earlier U-2 missions combined. A more recent example is HTV-2, a DARPA program that is part of the Department’s prompt global strike activities. HTV-2 seeks to travel at Mach 20 in an unmanned, boost-glide, maneuvering vehicle. The fastest high lift-to-drag ratio aircraft ever built. Mach 20. Twenty times the speed of sound. That means anywhere in the world in 60 minutes or less. Or New York to Los Angeles in 11 minutes and 20 seconds, with the surface of the vehicle at blast furnace temperatures: 3500 degrees F—the temperature of molten steel. We are essentially burning the airfoil as we fly it. It might seem impossible. It’s not. It’s just hard. There have been two test flights to date.

P a g e | 79



The first revealed an underestimation and simulation of aerodynamic effects in one of four variables needed for controlled hypersonic flight. The second flight demonstrated that we had fixed the aerodynamic control from the first flight, but precisely because we reached a different stage of the flight, we had 3 minutes of fully aerodynamically controlled flight at Mach 20. Although neither of the flights completed all elements of the tests, the two flights combined fielded the largest collection of flight-test assets assembled and yielded more aerodynamic and test measurement data at these hypersonic regimes than what has been collected in ground tests over the last 40 years. There’s no way to learn to fly at Mach 20 unless you build… and fly. From hypersonic flight to detecting overpressure during blasts, building remains important. A persistent, acute DoD need has been for a reliable, accurate and affordable method to detect and characterize traumatic brain injury or (TBI). We undertook basic and fundamental work in neuroscience and the effect of blasts on the fine structure that revealed the role of over pressure in TBI. Overpressure waves distinguish blast exposure from other types of causes of TBI (for example, sports injuries where acceleration and kinetic impact, but no overpressures are contributors). Informed by this neuroscience work, DARPA launched a program to build, demonstrate, and evaluate a blast gauge that incorporated a pressure sensor, acceleration sensor, and recording electronics. Four versions of the gauge were built over the course of a year and for a total development cost of approximately $1 million.

P a g e | 80



Each version building in the learnings—learnings from both the use and manufacturing of the earlier versions. In partnership with the Army, the final version was fielded to an entire brigade of 841 warfighters, the 2nd Brigade, 4th Infantry Division in RC South over the course of six months— from August 2011 to February 2012. The initial units used to outfit the first brigade cost $85 per unit, 3 per warfighter per month of deployment for a total cost of $1.6M. But over time, informed by the building and shipping of over 16,000 units and incorporating improved manufacturing processes, the cost is now approximately $45 per unit, and the next brigade will be outfitted for $540,000. At DARPA we plan for success, not failure. We don’t seek, embrace, or celebrate failure. We learn from our failure, and we build future capabilities through persistence, focus, and informed trial. We don’t encourage failure; we discourage the fear of failure.

The price of not building In the best of times, failure is difficult to endure. There is a hunger and need to be efficient. To husband our resources. In times of fiscal pressure that hunger is sharper. The conventional wisdom and response for relief is to roadmap, coordinate and plan to better predict and better prepare. To slow our efforts so as to retire more risks, to build less often and thus lower costs.

P a g e | 81



If we can improve our predictions, we can better plan for and build the systems needed. The argument being, “We can’t afford to fail.” The trouble with this approach is that, out of balance, it fails to weigh the risks of not building. Because it is equally important not to lose sight of the companion worry: “What’s the price of not building often and along shorter timelines?” At DARPA we examined this fundamental argument through the lens of two parameters: per-system cost and total number of systems to be purchased. Across many different types of representative defense systems— air, land, and sea— over the last 2 to 3 decades, the analysis reveals a consistent and disturbing pattern. Programs of record begin with a target per-system cost and total number of systems to be purchased. Over the course of a program, due to a variety of factors including financial constraints, technical risks and changing priorities, there is a steady increase in the per-system cost and a corresponding decrease in the total number of systems to be purchased. For the systems we analyzed, with associated development and fielding times ranging from 14 to 30 years, the final number of systems purchased were typically one-fourth the original number of systems envisioned at the start of the programs. The judgment of whether fielding one-fourth of the original number of systems is enough is not DARPA’s. This pattern of increasing timelines to initial operational capability, increasing cost per unit delivered, and companion decrease in the

P a g e | 82



number of units, is divergent with an increasingly dynamic threat environment. Our next step was to attempt to reveal what is causing the divergence. Many people are familiar with Norm Augustine’s chart that shows the extrapolated cost of a fighter aircraft intersecting with the Defense budget, such that sometime in 2054 the entire Defense budget will be required to buy one aircraft. Further, given the pace of global technological development and access, we can no longer afford the time it takes us to build Defense systems. In DARPA’s 2010 and 2011 written testimony, we highlighted and described the Agency’s advanced manufacturing initiative, with the focus on reducing and controlling for time. But it is not simply the argument that time is money. As a Department, we are at a juncture where not only the increasing cost but the increasing time it takes us to develop defense systems is a vulnerability in and of itself. In the past, defense technology could be relied on to be ahead of civil or commercial technology. Defense technology drove commercial technology and the defense industry was often an early adopter and customer of new technologies. And in a few unique areas, defense will remain ahead of commercial capabilities. But the number of these areas is decreasing. In the last 2 decades, this long-standing precedent has begun to reverse, and commercial technology has begun to outstrip defense technology.

P a g e | 83



This is perhaps felt most acutely in cybersecurity and the consumer electronics products and services that have fundamentally changed the way we connect and interact with the world and each other.

Vulnerabilities created by commercial technologies. Unintentionally, and without malice, commercial consumer electronics has created vulnerabilities by enabling sensors, computing, imaging, and communications capabilities that as recently as 15 years ago, were the exclusive domain of military systems. These capabilities now are in the hands of hundreds of millions of people around the world and in use every day. The effect of these commercial capabilities on Defense and National Security may be seen in the impact of these trends on electronic warfare (EW) systems and anti-access and area denial (A2AD). EW: an area of historic advantage to the US military; and A2AD: an area of increasing concern in several strategic regions of the globe. This is not an abstract vulnerability. We have not enjoyed spectrum dominance since about 1997. Up until then, our EW systems could both detect and respond effectively to EW threats directed at us. In the last 15 or so years, however, that has ceased to be true. In both waveform complexity and carrier frequency, adversaries have moved to operating regimes currently beyond the capabilities of our systems. What we find are three principal reasons why it has been possible to apply commercially available electronic capabilities to produce military-grade EW systems. First, as microelectronic devices continue to shrink in size, they are, perhaps counter intuitively, also improving in performance.

P a g e | 84



For example, smaller microelectronic devices are able to switch faster and, thus, operate at higher frequencies. This means that specialized microelectronic devices produced for DoD are now matched or nearly matched in performance to standard silicon-based microelectronics commercially available from multiple, global sources. Second, custom signal processing chips that took 2 to 3 years to develop and required chip designers, sophisticated design, and simulation tools along with chip fabrication facilities are increasingly being replaced by programmable chips or field-programmable gate arrays (FPGAs). Unlike custom signal processing chips that have their specific function fixed at the time of fabrication, FPGAs can be programmed, and reprogrammed, like software, after fabrication. This means that developers can cut as much as 18 months off development schedules, from 3 to 4 years to as little as 1.5 years. Finally, the demand created by the global, mobile communications industry has led to a global manufacturing capacity and economic efficiencies that deliver the above capabilities at ever decreasing prices. EW was once the province of a few peer-adversaries. It is now possible to purchase commercial off-the-shelf (COTS) components for more than 90 percent of the electronics needed in an EW system. This has reduced the barriers to developing, producing, and fielding such systems to within the capabilities of many nation states and non-state actors. And because of the improved performance of commercially available, programmable microelectronics, nearly a dozen countries are now producing EW system variants and new versions at a much faster cadence than we have; from a pace of a new system every 5 to 10 years 2 decades ago, to one every 1.5 years today.

P a g e | 85



This means that our conventional approaches no longer afford us a time or capability advantage. Increasingly, our conventional approaches are divergent with the threat. These insights led us to new investments that leverage COTS technology where it makes sense to, counter COTS where we need to, and transcend COTS where practical. Leveraging COTS. If a commercial computer chip is fast enough to accomplish a task in a US military system, there is no point to designing an alternative; just use what is available. This does not imply equivalent capability at the system level. Namely, we are not doomed to an even playing field just because we are using the same processor chip as an adversary. We can make a network of such chips to overcome the adversary’s system. Better algorithms tightly integrated with the hardware, and improved cooling to wring more performance from each chip, are two examples where technological advances would allow us to prevail even when we are all using the same basic technology. Countering COTS; alternatives to GPS as an example. We use global positioning system (GPS) because it is cheap and easy. It is COTS for us – most of our precision-guided munitions capability, as well as timing for our command and control systems, have become dependent on GPS. The adversary knows this and has aggressively sought means to counter our dependency on GPS. Jammers and commercially driven spectrum compression may threaten our ability to use GPS in areas denied.

P a g e | 86



Attempts to make GPS receivers that can survive that jamming is impractical and not convergent with the threat. GPS signals are inherently weak. The ease with which GPS signals are jammed or spoofed motivate developments of development of alternative position, navigation, and timing approaches that are not dependent on GPS alone. An example of how we might counter COTS is to recognize that GPS is just one way of providing positioning, navigation, and timing data. But it is not the only way. We might carry our own navigation system. The same trends in COTS advances, used to build alternative navigation guidance systems such as highly integrated, inexpensive, low power accelerometers and gyros, may enable the DoD to accomplish its mission even when GPS is denied. Our analysis revealed that extending the performance of today’s inertial guidance systems by a factor of 20—from roughly 1 minute to 18 minutes, will permit 98 percent of our GPS-dependent weapons to operate at GPS accuracy during their mission duration without a GPS signal. Transcending COTS. COTS electronics is a formidable source of new, high performance technology, but it has inherent limitations. The main one is economics– industry is motivated by the profit incentive, and modern electronics is extremely expensive to design and produce in small volumes. This highly nonlinear effect of high volume manufacturing is why the extremely complex technology inside cell phones appears to be so cheap. This opens a window of opportunity for the US military anywhere that product unit volumes will be low, COTS electronics will be unavailable.

P a g e | 87



Very high power transmit/receive modules for radars and radios, for example, are simply unnecessary in the COTS space, so the Military must design and produce its own. Although this performance advantage will come with a cost greater than commercial products, this means the United States will enjoy a technical lead over any potential adversary who cannot invest and do likewise.

Operational vice intelligence capabilities in cybersecurity In cybersecurity, we have the area that most highlights the danger of taking too long to build. The shelflife of cybersecurity systems and capabilities is sometimes measured in days. Thus, to a greater degree than in other areas of defense, cybersecurity solutions require that we develop the ability to build quickly, at scale, and over a broad range of capabilities. This is true for both offensive and defensive capabilities. DARPA’s role in the creation of the Internet means we were party to the intense opportunities it created and share in the intense responsibility of protecting it. We should emphasize that national policymakers, not DARPA, will determine how cyber capabilities will be employed to protect and defend National Security interests. But the Agency has a special responsibility to explore the outer boundaries of such capabilities that the United States is well prepared for future challenges. To date, there has been much focus on increasing our defensive capabilities. To be sure, the list of needed capabilities is long.

P a g e | 88



Our networks may be safer than they were, but systems are often easily penetrated, accounts are routinely hacked, intellectual property and sensitive information are compromised, and the supply chain is not secure. And because computers are embedded in nearly all our systems—cyber attack cannot be regarded as a threat only to our networks and information—but rather to all our physical systems as well. Protecting cyberspace and the Nation requires both significantly enhanced defensive and offensive cyber capabilities; capabilities across the full spectrum of the conflict. Of note, our Intelligence Community has significant cyber capabilities, but the are geared predominantly to intelligence tasks. The tasks required for Defense purposes are sufficiently different that we cannot simply scale our intelligence cyber capabilities and adequately serve the needs of the Department of Defense. Rather we need cyber options that can be executed at the speed, scale, and pace of our military kinetic options with comparable predicted outcomes. Modern warfare demands the effective use of cyber, kinetic, and combined cyber and kinetic means. That will happen only if cyber capabilities are at scales and speeds matched to our kinetic options. Informed by these insights and with a willingness to accept our responsibility to contribute, we assessed that DARPA has a significant role to play. We recruited an expert cyber team of individuals from diverse experiences including the “white hat” hacker community, academia, labs and nonprofits, major commercial companies, in addition to the Defense and Intelligence Communities.

P a g e | 89



We launched several programs, increased the level of activities in others, and closed some out. Our cyber efforts are designed to create the capabilities needed for military missions. We need more options. We need more speed and scale. We need approaches that match the diversity, dynamic range, and operational tempo of DoD activities. This cannot be achieved by simply doing more of what we’ve been doing or by increasing our intelligence-oriented cyber capabilities. Examples include programs such as Clean-Slate design of Resilient, Adaptive, Secure Hosts or CRASH, which takes its inspiration from the defensive mechanisms of biological systems and seeks to develop cybersecurity technologies by radically rethinking basic hardware and systems designs. And PROgramming Computation on EncryptEd DATA or PROCEED, which is a big reach program motivated by recent breakthroughs in what is called fully homomorphic encryption, which could fundamentally change the nature of assured computations on untrusted hardware. If successful, PROCEED puts cybersecurity into an encryption realm, a realm that requires state-level computational resources. The Cyber Fast Track program recognizes an untapped pool of experts and innovators who could contribute, if we provide a path. That path matches both their execution and the shelflife of cybersecurity products. In the last 7 months, more than 100 proposals were received by Cyber Fast Track, and 32 awards were made.

P a g e | 90



Just as important, the average time from receipt of proposal to award is 7 days. We note that the process and contracting mechanism rigorously meets DoD regulations for competition and awards; we need not be slow to be fair, ethical, or prudent. Eighty-four percent of these small companies and performers have never done business with the Government before, expanding the number and diversity of talent contributing to the Nation’s cybersecurity. Since 2009, DARPA has steadily increased its cyber research. Our cyber research funding is increasing from $228 million in FY2012 to $246 million in FY2013. And over the next five years, our proposed investment in cyber research will grow steadily from 8 percent to 12 percent of topline. We are also shifting our investments to activities that promise more convergence with the threat that recognize the unique needs of the Department of Defense. To this end, in the coming years, DARPA will focus an increasing portion of our cyber research on the investigation of offensive capabilities to address military-specific needs. We began these efforts on our own. But part of the growth in our resource commitment beginning in 2012 and extending through 2017, is at the hand of senior leaders in the Department, who added $500 million over 5 years for clean-slate, convergent cyber research at DARPA. DARPA’s engagement in cyber is not new. This expanded effort builds on an existing foundation and continuing contributions to cyber. Indeed, past DARPA-developed technologies are widely prevalent in military, intelligence, and commercial use today. But there is still much to do.

P a g e | 91



DARPA activities are part of a larger whole within National Security at the National Security Agency , the newly formed CYBERCOMMAND, the Services, the private sector, universities, nonprofits and, as appropriate, the Department of Homeland Security. Clearly, the challenges of cyberspace require the concerted efforts of many. Indeed, we all must be protectors of and operate within cyberspace. And these challenges also demand the involvement of technical experts at unprecedented levels. We expect that part of our responsibility will be in advisory roles during the formation of policy and legal frameworks, because new policies and laws—domestic and international—must be executable, enforceable, and sustainable. To be of use, such policies and laws will demand evaluation and adjustment on timescales that correspond to the dynamic nature and compressed evolutionary timescales of advances in cyberspace. We’ll have to move faster than we are accustomed to. We’ll need the tools and guidance to do so.

Discomfort and strategic surprise Some of these observations feel uncomfortable. Even to us. Our responsibility, however, is to the uncomfortable. It is the Agency’s singular mission to identify divergences and the threats and opportunities they represent. These are the seeds of strategic surprise. We need approaches that are convergent with the challenges and deliver systems and solutions on timescales and with agilities that match operational needs.

P a g e | 92



In this time of fiscal constraint, we are committed to doing our part. But this does not mean that we lose our nerve for building. Thank you.

P a g e | 93



NUMBER 8

FSA statement regarding CRD IV implementation

The draft European Union legislation to update the

capital requirements framework, known as CRD IV, has been under

discussion between the European Parliament, European Commission

and Council of Ministers.

These discussions originally aimed to finalise an agreed position by end

June 2012 enabling adoption by the European Parliament plenary in early

July 2012.

Following the delay of the Parliament’s plenary vote and the recent

statement by the Rapporteur of the European Parliament and the

discussion of the Council of Economic and Finance Ministers, it is clear

the legislation will not be adopted earlier than autumn 2012.

Following adoption it is necessary for verification, translation and

signature of the EU legislation to take place before it can be published in

the Official Journal of the European Union.

Publication in the Official Journal is a necessary pre-cursor of EU

legislation entering into force.

On this basis it does not appear feasible that the legislation can enter into

force in line with the implementation date of 1 January 2013 as included in

the original European Commission proposal of July 2011.

No alternative date has yet been communicated by the EU institutions.

Furthermore, reflecting the delay in the negotiation process, the

European Banking Authority (EBA) issued a press release on 31 July

setting out the potential need to phase-in or flexibly apply certain

technical standards to ensure a practical approach to implementation.

P a g e | 94



In light of these developments the FSA will keep the situation under

active review and continue to support the European institutions in their

efforts to reach a conclusion on the final version of the legislation.

The FSA will continue to undertake all preparatory work that is possible

in the absence of finalised legislative text, in full expectation that the EU

legislation will follow the Basel III implementation timetable.

We expect all firms in scope of CRD to do likewise.

Banks must remain mindful of the vital importance of the direction set by

Basel III for banking system stability.

In particular the FSA will continue to undertake its supervision of banks

in a manner consistent with the recommendations of the 22 June meeting

of the interim Financial Policy Committee (FPC) of the Bank of England.

The interim FPC recommended that: taking into account each

institution’s risk profile, the FSA works with banks to ensure they build a

sufficient cushion of loss-absorbing capital in order to help to protect

against the currently heightened risk of losses; that cushion may

temporarily be above that implied by the official transition path to Basel

III; and banks should continue to restrain cash dividends and

compensation in order to maximise the ability to build equity through

retained earnings.

The FSA reminds those investment firms that are currently subject to the

Capital Requirements Directive that they will be impacted by the CRD IV

legislation and that they too should prepare accordingly.

The introduction of Common Reporting, which is incorporated into the

requirements in CRD IV, is dependent on delivery of the necessary

technical systems and on implementing technical standards to be drafted

by EBA under CRD IV and adopted by the European Commission.

P a g e | 95



The FSA is proceeding with the necessary preparatory work to be ready to

begin collecting data under Common Reporting for the period beginning

1 July 2013, should the legislation and related standards be finalised by

this date.

In line with the press release issued by EBA, the FSA will take account of

any phase-in plans incorporated into the implementing technical

standards on supervisory reporting.

P a g e | 96



NUMBER 9 Understanding better…

Information Operations, Electronic Warfare, Computer Network Operations

Information Operations

The integrated employment of the core capabilities of electronic warfare, computer network operations, psychological operations, military deception and operations security, in concert with specified supporting and related capabilities, to influence, disrupt, corrupt or usurp adversarial human and automated decision making while protecting our own.

Also called IO.

Electronic Warfare

Any military action involving the use of electromagnetic and directed energy to control the electromagnetic spectrum or to attack the enemy.

Also called EW.

The three major subdivisions within electronic warfare are: electronic attack, electronic protection, and electronic warfare support.

a. Electronic attack. That division of electronic warfare involving the use of electromagnetic energy, directed energy, or antiradiation weapons to attack personnel, facilities, or equipment with the intent of degrading, neutralizing, or destroying enemy combat capability and is considered a form of fires.

Also called EA.

EA includes:

1) Actions taken to prevent or reduce an enemy’s effective use of the electromagnetic spectrum, such as jamming and electromagnetic deception, and

P a g e | 97



2) Employment of weapons that use either electromagnetic or directed energy as their primary destructive mechanism (lasers, radio frequency weapons, particle beams).

b. Electronic protection. That division of electronic warfare involving passive and active means taken to protect personnel, facilities, and equipment from any effects of friendly or enemy employment of electronic warfare that degrade, neutralize, or destroy friendly combat capability.

Also called EP.

c. Electronic warfare support. That division of electronic warfare involving actions tasked by, or under direct control of, an operational commander to search for, intercept, identify, and locate or localize sources of intentional and unintentional radiated electromagnetic energy for the purpose of immediate threat recognition, targeting, planning and conduct of future operations.

Thus, electronic warfare support provides information required for decisions involving electronic warfare operations and other tactical actions such as threat avoidance, targeting, and homing.

Also called ES.

Electronic warfare support data can be used to produce signals intelligence, provide targeting for electronic or destructive attack, and produce measurement and signature intelligence.

Computer Network Operations

Comprised of computer network attack, computer network defense, and related computer network exploitation enabling operations.

Also called CNO.

Computer network attack

Actions taken through the use of computer networks to disrupt,deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.

P a g e | 98



Also called CNA.

Computer network defense

Actions taken through the use of computer networks to protect, monitor, analyze, detect and respond to unauthorized activity within Department of Defense information systems and computer networks.

Also called CND.

Computer network exploitation

Enabling operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary automated information systems or networks.

Also called CNE.

Psychological Operations

Planned operations to convey selected information and indicators to foreign audiences to influence their emotions, motives, objective reasoning, and ultimately the behavior of foreign governments, organizations, groups, and individuals.

The purpose of psychological operations is to induce or reinforce foreign attitudes and behavior favorable to the originator’s objectives.

Also called PSYOP.

Military Deception

Actions executed to deliberately mislead adversary military decision makers as to friendly military capabilities, intentions, and operations, thereby causing the adversary to take specific actions (or inactions) that will contribute to the accomplishment of the friendly forces mission.

Also called MILDEC.

Operations Security

A process of identifying critical information and subsequently analyzing friendly actions attendant to military operations and other activities to:

P a g e | 99



a. Identify those actions that can be observed by adversary intelligence systems;

b. Determine indicators that hostile intelligence systems might obtain that could be interpreted or pieced together to derive critical information in time to be useful to adversaries; and

c. Select and execute measures that eliminate or reduce to an acceptable level the vulnerabilities of friendly actions to adversary exploitation.

Also called OPSEC.

Note:

Air University, with headquarters at Maxwell Air Force Base, Ala., is a key component of Air Education and Training Command, and is the Air Force's center for professional military education.

P a g e | 100



NUMBER 10 An interesting article about China. We will be glad to discuss other opinions in our next newsletter.

China’s Slowdown May Be Worse Than Official Data Suggest

by Janet Koech and Jian Wang

In the months following the 2008–09 economic crisis, emerging-market economies robustly rebounded.

Output in China and India expanded more than 10 percent in 2010, and Brazil’s gross domestic product (GDP) growth of 7.5 percent was its best performance in 25 years.

P a g e | 101



Emerging-market economies retraced their precrisis level of industrial production by 2009, while advanced economies remained below their precrisis levels in 2012 (Chart 1). But the strong emerging-market rebound—most significantly in China— hasn’t endured. When China’s average GDP growth remained above 9 percent in 2011, hopes rose that a sustained recovery would prop up the world economy amid the European sovereign debt crisis and subpar growth in the U.S. However, China’s economy deteriorated rapidly in 2012, with GDP growth slowing to 8.1 percent in the first quarter from 8.9 percent at year-end 2011. Second quarter GDP growth slid further, to 7.6 percent, the lowest reading since the height of the global financial crisis in early 2009. Even with the decline, there is speculation that these figures may still understate economic slowing. Economists have long doubted the credibility of Chinese output data. For example, some studies indicate that GDP growth was overstated during the 1998–99 Asian financial crisis, when official figures reported that China’s GDP grew on average 7.7 percent annually. Alternative estimates using economic activity measures such as energy production, air travel and trade data ranged from 2 percent to 5 percent. The dubious character of the official figures is no secret in China. Senior government officials, including Vice Premier Li Keqiang, dismiss official GDP data as “man-made” and “for reference only” because of political influence, particularly at the local level, on data reporting.

P a g e | 102



Data Reliability To get a more accurate picture of China’s economy, economists examine other measures of activity that closely track growth but are less prone to political interference than output data. Industrial electricity consumption, a major production input, serves as such a proxy. If industrial output grows at a slower pace, electricity consumption should behave similarly. China’s year-over-year growth rates of industrial electricity consumption and industrial production are shownfor 2011 and 2012 in Chart 2.

P a g e | 103



Red dots, illustrating 2012 activity, are below the blue dots, depicting 2011, which indicates that the growth rate of industrial electricity consumption is relatively lower this year. This is consistent with China’s recent economic slowdown. The chart also shows fitted linear trends—a way of extrapolating activity over a longer period—computed using 2011 data only (solid line) and 2011 and 2012 data (dashed line). This depiction relies on just these two years because of limited electricity-consumption reporting by the China Electricity Council. Hence, these results should be viewed with caution. As expected, Chart 2 shows that there is a tight relationship between industrial electricity consumption and industrial output. As industrial production growth expands, China’s industries consume more electricity, and vice versa. However, a closer look at the chart raises questions. Consider a scenario in which electricity consumption doesn’t increase. To illustrate this, we extend the linear trend lines to the horizontal axis (representingno change in electricity consumption). The lines intercept the axis at 5 and 7.5, implying that China’s industrial production continues to grow 5 percent or 7.5 percent annually (depending on which trend line we use) even when electricity consumption remains constant. Although heightened electricity consumption efficiency could induce positive industrial production growth, a 7.5 percent growth rate seems too large to attribute to efficiency gains alone. The solid line computed using just 2011 data is flatter than the dashed line

P a g e | 104



computed using both 2011 and 2012 data. Extrapolating from the trend line that includes just 2011 data points yields a lower, more reasonable industrial production growth rate of about 5 percent when the electricity consumption growth rate is zero. The same data are shown in Chart 3, with only the 2011 trend line depicted.

Suspiciously, all 2012 data (red dots) lie below the trend line. This suggests that given the amount of electricity consumed, China’s official industrial production figures for 2012 are higher than those implied by the 2011 data trend. For instance, China’s industrial electricity consumption grew 5.6 percent on a year-over-year basis in March 2012.

P a g e | 105



Using the trend from 2011 data, the estimate for March’s industrial production growth is about 9.3 percent rather than the 11.9 percent reported in the official data. This discrepancy could be due to unintentional, random survey errors. However, it is hard to imagine that all available 2012 data erred on the side of overstating industrial production growth. Rather, it suggests that China might have overstated its 2012 industrial production data to mask the economy’s weakness. In other words, the slowdown in China could be worse than the official data indicate.

Composition of Production Of course, other factors may explain why all red dots lie below the trend line in Chart 3. For example, growth of industrial production varied across sectors whose consumption of electricity per unit of output differs. For a unit of output, a company involved in steel production will generally consume more electricity than a factory making T-shirts. If the growth rate of the steel industry slowed more than that of the textile industry, we would expect to see the growth in electricity consumption decline faster than the growth of total industrial output. To address this industry composition effect, we include output growth of two different sectors in our data: the heavy and light industrial sectors. The heavy industrial sector (for example, the steel industry) usually consumes more electricity than the light sector (the textile industry).

P a g e | 106



The relationship between electricity consumption and industrial output can be more accurately estimated by analysing the two sectors separately than by using aggregate industrial output data. Accounting for the sectoral difference yields more sensible results when 2011 data are analyzed. When industry electricity consumption remains constant—that is, it shows a zero growth rate—light industrial sectors grow at an annual rate of 2.8 percent, a much smaller reading than the 5 percent for aggregate output. On the other hand, the heavy industrial sectors contract 1.9 percent, reflecting this industry’s relatively heavy reliance on electricity.

Chart 4 plots actual electricity consumption growth in China (purple line)

P a g e | 107



together with estimated electricity consumption using 2011 output data for light and heavy industries (orange line). The two lines track each other closely, indicating a tight relationship between electricity consumption and output in the heavy and light industries. The blue line shows the forecast growth of electricity consumption in 2012, computed from the relationship estimated from 2011 data. The official industrial production data square well with electricity consumption in March 2012; predicted consumption data almost perfectly match the reported data. During March, growth in heavy industries declined sharply to 11.2 percent from 13 percent in December 2011, while growth in the light industries increased to 13.9 percent from 12.6 percent over the same period. The difference in growth between the heavy and light industries explains the overall sharp decline in electricity consumption, while overall industrial output growth remained strong in March 2012. In the subsequent months, however, the out-of-sample forecasts diverge substantially from the actual data. Given the official industrial production numbers, our model suggests that China should have consumed about twice as much electricity as it actually did. This is not surprising after closer examination of the data. From April to June, growth in the light industries declined more than in the heavy industries, a reversal of March’s activity. Given such a pattern in China’s official industrial production data, electricity consumption growth should have dropped only moderately.

P a g e | 108



However, China’s actual electricity consumption continues to decline sharply from April to June, raising doubts about the accuracy of the official industrial production figures.

Improving Data Reporting Although China’s economic growth has slowed sharply in recent months, evidence suggests that the situation may be worse than reported. Several factors contributed to China’s slowdown. Demand for China’s exports in Europe and the U.S. has weakened amid the deepening European sovereign debt crisis and sluggish U.S. economic activity. Additionally, China’s policy response following the global financial crisis is having unintended effects on its economy. China loosened monetary policy and undertook a massive fiscal stimulus program in response to 2008–09 developments. These policies, which cushioned the economy from the impact of falling demand for exports, had the unintended consequence of generating higher inflation and rising asset prices, particularly in the real estate sector. These developments forced China to reverse course and institute tighter monetary policy last year, creating another round of effects on the economy that continue this year. China’s abrupt policy changes during the past two years are not historically unusual and have been criticized as a source of the country’s big economic swings, which hurt long-run growth. Future policymakers will need more, high-quality quantitative (as opposed to qualitative) economic research to avoid overshooting policy targets and to better stabilize the economy.

P a g e | 109



A critical first step is acquiring highquality economic data, a process already in the works. China’s National Bureau of Statistics started a new data-collecting system under which businesses report industrial production data online directly to the national statistics agency in Beijing, reducing the chance of manipulation by local authorities. As the world’s second largest economy, China plays an increasingly important role in the global economy. Acquiring accurate economic data isnot only useful to China’s policymaking, but also helpful to other nations, allowing them to better understand China’s current economic conditions and design their policies accordingly. Koech is an assistant economist and Wang is a senior research economist in the Research Department at the Federal Reserve Bank of Dallas.

P a g e | 110



Certified Risk and Compliance Management Professional (CRCMP) Distance learning and online certification program. Companies like IBM, Accenture etc. consider the CRCMP a preferred certificate. You may find more if you search (CRCMP preferred certificate) using any search engine. The all-inclusive cost is $297. What is included in the price:

A. The official presentations we use in our instructor-led classes (3285 slides) The 2309 slides are needed for the exam, as all the questions are based on these slides. The remaining 976 slides are for reference. You can find the course synopsis at: www.risk-compliance-association.com/Certified_Risk_Compliance_Training.htm

B. Up to 3 Online Exams You have to pass one exam. If you fail, you must study the official presentations and try again, but you do not need to spend money. Up to 3 exams are included in the price. To learn more you may visit: www.risk-compliance-association.com/Questions_About_The_Certification_And_The_Exams_1.pdf www.risk-compliance-association.com/CRCMP_Certification_Steps_1.pdf

http://www.risk-compliance-association.com/Certified_Risk_Compliance_Training.htm

http://www.risk-compliance-association.com/Certified_Risk_Compliance_Training.htm

http://www.risk-compliance-association.com/Questions_About_The_Certification_And_The_Exams_1.pdf

http://www.risk-compliance-association.com/Questions_About_The_Certification_And_The_Exams_1.pdf

http://www.risk-compliance-association.com/CRCMP_Certification_Steps_1.pdf

http://www.risk-compliance-association.com/CRCMP_Certification_Steps_1.pdf

P a g e | 111



C. Personalized Certificate printed in full color. Processing, printing, packing and posting to your office or home.

D. The Dodd Frank Act and the new Risk Management Standards (976 slides, included in the 3285 slides) The US Dodd-Frank Wall Street Reform and Consumer Protection Act is the most significant piece of legislation concerning the financial services industry in about 80 years. What does it mean for risk and compliance management professionals? It means new challenges, new jobs, new careers, and new opportunities. The bill establishes new risk management and corporate governance principles, sets up an early warning system to protect the economy from future threats, and brings more transparency and accountability. It also amends important sections of the Sarbanes Oxley Act. For example, it significantly expands whistleblower protections under the Sarbanes Oxley Act and creates additional anti-retaliation requirements. You will find more information at: www.risk-compliance-association.com/Distance_Learning_and_Certification.htm

http://www.risk-compliance-association.com/Distance_Learning_and_Certification.htm

http://www.risk-compliance-association.com/Distance_Learning_and_Certification.htm

monday september 3 2012 - top 10 risk management news

Career