Shostack + Friends Blog Archive


Regulations, Risk and the Meltdown

There are obviously a large set of political questions around the 700+ billion dollars of distressed assets Uncle Sam plans to hold. If you care about the politics, you’re already following in more detail than I’m going to bother providing. I do think that we need to act to stem the crisis, and that we should bang out the best deal we can before the rest of the banks in the US come falling like dominos. As Bagehot said, no bank can withstand a crisis of confidence in its ability to settle. I think that knowing how distasteful and expensive it is, and with far better things to do with the $5,000 or so it will personally cost me as a taxpayer. (That $2,300 figure is per person.) I also think that knowing how poorly this administration has done in handling crisis from 9/11 to Katrina, and how poorly it does when forced to act in a moment of crisis. (Sandy Levinson has some interesting comments at “A further Schmittian (and constitutional?) moment.”) Finally, we are not bailing out the banks at the cost of a free market in banking. We gave up on a free market in banking in 1913 or so, after J.P. Morgan (not his eponymous bank) intervened to fix the crises of 1895 and 1907.

What I did want to look at was the phrase “more regulation,” and relate it a little to information security and risk management.

US banks are already intensely regulated under an alphabet soup of laws like SOX, GLB, USA PATRIOT and BSA. They’re subject to a slew of additional contractual obligations under things like PCI-DSS and BASEL rules on capital. And that’s leaving out the operational sand which goes by the name AML.

In fact, the alphabet soup has gotten so thick that there’s an acronym for the acronyms: GRC, or Governance, Risk and Compliance. Note that two of those three aren’t about security at all: they’re about process and laws. In the executive suite, it makes perfect sense to start security with those governance and compliance risks which put the firm or its leaders at risk.

There’s only so much budget for such things. After all, every dollar you spend on GRC and security is one that you don’t return to your shareholders or take home as a bonus. And measuring the value of that spending is notoriously hard, because we don’t share data about what happens.

Just saying that measurement is hard is easy. It’s a cop out. I have (macro-scale) evidence as to how well it all works:

  • Bear Stearns
  • Fannie Mae
  • Freddie Mac
  • Lehman Borthers
  • AIG
  • Washington Mutual
  • Wachovia
  • (Reserved)

I have a theory: in competition for budget within GRC, Governance and Compliance won. They had better micro-scale evidence as to their value, and that budget was funded before Risk was allowed to think deeply about risks.

There’s obviously immediate staunching to be done, but as we come out of that phase and start thinking about what regulatory framework to build, we need to think about how to align the interests of bankers and society.

If you’d like more on these aspects, I enjoyed Bob Blakley’s “Wall Street’s Governance and Risk Management Crisis” and
Nick Leeson, “The Escape of the Bankrupt” (via Not Bad for a Cubicle [link to no longer works]. Thurston points out the irony of being lectured by Nick “Wanna buy Barings?” Leeson.)

I’m not representing my co-author Andrew in any of this, but at least as I write this, his institution remains solvent.

5 comments on "Regulations, Risk and the Meltdown"

  • Mismeasurement of risk is a systemic problem, not one that’s isolated to the misfeasance or malfeasance of any bank.
    The standard models for evaluating credit risk assume a binomial model of dispersion; they are just like Black-Scholes in that regard. There’s a systematic underestimation of the likelihood of unusual events, and a systematic and willful ignorance of correlation.
    When Long Term Capital blew up it was in part because of unanticipated correlation in the markets; this one will eventually get diagnosed the same way.
    There’s good reason in the short term for traders to misunderstand and simplify risk; they get paid on the transaction happening, but the firm (or the government) takes the risk of the blow-up.

  • wordman says:

    I don’t think the “risk” part of GRC falls by the wayside because of budgets; it falls by the wayside because it’s really flippin’ hard.
    In order to manage financial risk properly, you not only have to be a lawyer, an economist, and a statistician, you need to be a GOOD lawyer, a REALLY GOOD economist and an AMAZINGLY GOOD statistician.
    Oh yeah… and you’ll never be able to tell if you got it right until everything goes to hell.

  • beri says:

    Edward: I don’t think those traders “misunderstood” anything. They made a lot of money doing whatever they wanted. In fact, they are being investigated by the SEC and the FBI for collusion and whatever else they call it when traders sell their lies back and forth (and make money, as you point out, on every trade).
    We don’t need regulation. We need to take back their ill-gotten gains and perhaps bring back the guillotine or the firing squad. They may not take stealing our money seriously but they do value their greedy pathetic little lives. Masters of the universe, my foot.

  • Gunnar says:

    “US banks are already intensely regulated under an alphabet soup”
    I think this misses a key point – many of the institutions you listed Bear
    Stearns, Lehman were not retail banks on a large scale and so not really
    subject to all those regs. Sure, _retail_ banks are regulated, however they
    are actually the large financial institutions that are faring the best.
    Wells Fargo has a P/E of 19!!!!!
    The Wells Fargo’s CEO take on subprime was – “I don’t know why banks needed to invent new ways to lose money when the old ones worked just fine.”
    The derivatives books that are causing this mess were manifestly _not_
    regulated. So the examples you gave actually show that the institutions that were more heavily regulated have fared far better (i.e. still in business) than the ones that were not.
    The Sage of Omaha called derivatives financial wmd (notably, he said this 5 + years ago), and of course last week he said to Goldman and Wall St – all
    your banks are belong to us. The guy is a case study in risk management. If
    you study what they do, every move they make has 3 layers of protection.
    Warren Buffett:
    AIG would be doing fine today. It was one of the ten largest companies in the United States in terms of market value, over 200 billion, the most respected insurer and everything in the world. If they never heard of the word derivatives, they’d be doing fine. They’d be going to work in the morning and they would have no troubles. But they — they — it was very easy to do, because it’s very tempting to write numbers on little pieces of paper and you can report the profit you want to, and there is no limit on it. I mean there is no capital requirements to it or anything of the sort. And basically, I said there were possibly financial weapons of mass destruction, and they had them. They destroyed AIG. They certainly contributed to the destruction of Bear Sterns and Lehman. Although Lehman had other problems, too.

  • I note that the day of reckoning for Lehman credit default swaps is October 21, 2008 [ no longer works], and that there’s going to be awful lot of money changing hands that day.

Comments are closed.