From: Paul Moore Sent: 04 January 2011 13:02 To: '[email protected]' Subject: My evidence to the Treasury Select Committee on the banking crisis etc

To whom it may concern

My name is Paul Moore. I have been involved in risk management, regulatory compliance and governance in the financial sector since 1984 before the first version of The Financial Services Act 1986.

I was the former Head of Group Regulatory Risk at HBOS who gave influential evidence to the Treasury Select Committee in February 2009 when it was looking into the causes and implications of the banking crisis. My evidence was widely publicised in the media worldwide and led directly to the resignation of Sir James Crosby who was then the Deputy Chairman of the Financial Services Authority. My evidence proved that Sir James Crosby, when he was the CEO of HBOS, dismissed me as Head of Group Regulatory Risk for reporting that the sales culture had become markedly out of balance with risk and compliance systems and that the Board should reconsider its continued strategy for sale growth if it wished to avoid risks to customers and colleagues. I maintained that failures in governance, risk management and compliance were at the heart of the banking crisis. In particular, I pointed to strategies with an excessive focus on sales, cultures that facilitated “group think” and resisted challenge and the lack of rigorous oversight and challenge by internal control functions, the non‐executive and the FSA.

Gordon Brown commented in PMQT on the day that Sir James had to resign his post at the FSA to contest the serious allegations I had made....he has never been required to do so.

You can see a summary of the story in this clip of the BBC Newsnight coverage http://www.vopres‐video.co.uk/Paul%20Moore/index.html there are also many other links / references to the story if you look me up in Google at Paul Moore, HBOS.

As I said in my first tranche of evidence (which I attach for ease of reference), I believe that there are some very important lessons that are brought into sharp relief by the story of what happened to me at HBOS about the way risk management, compliance and corporate governance generally should work in relation to banks if they are to be kept under control. I suppose the two most important points I made in my evidence to the TSC were these:-

2.10 In simple terms this crisis was caused, not because many bright people did not see it coming, but because there has been a completely inadequate “separation” and “balance of powers” between the executive and all those accountable for overseeing their actions and “reining them in” i.e. internal control functions such as finance, risk, compliance and internal audit, non-executive Chairmen and Directors, external auditors, The FSA, shareholders and politicians.

4.3 (extract) There is no doubt that you can have the best governance processes in the world but if they are carried out in a culture of greed, unethical behaviour and indisposition to challenge, they will fail.

Since giving my evidence, I have written quite extensively about the policy changes I believe are required in papers to the Walker Review and to the FSA. I have also spoken at many conferences about the lessons which my story shows. I now call these “the four Cs”:-

 Culture comes first – this now needs to be part of the internal control KPIs led by the non exec and also understood, analysed and supervised by the regulator...this Rubicon must be crossed and Hector Sants seems now to agree with this (see his speech 17th June 2010).

 Capability, Competence and Credibility of the Control Functions...the quality and strategic influence of risk management, compliance and internal audit needs to be raised to a different level....and this is not all about technical / mathematical knowledge. We need a real professionalisation of these functions so they carry the same weight as Actuaries, Accountants and Lawyers.

 Corporate Governance to ensure a real separation and balance of powers in societally important corporate entities between the executive and all those accountable for their oversight...This must mean a totally different paradigm of corporate governance to the one currently in the corporate psyche including a new dedicated non executive role accountable for group-wide oversight, assurance and ethics to whom all the internal control functions would report – it’s no good having internal control functions if the executive are able to remove them as soon as they “speak truth to power”. My small advisory firm did a survey of risk managers around the world into the causes and implications of the banking crisis with Cranfield School of business and it is clear that the majority of risk managers expected a major financial crisis but felt that the culture in their organisations inhibited effective challenge: well, we ought to know by now through the many lessons of history that “power corrupts and absolute power corrupts absolutely”. In such huge globally important business as some of the banks which have balance sheets larger than many sovereign governments, it is crucial that a balance of power is restored so that the short term greed of shareholders (as expressed by investment analysts) does not over-power the obligations of the corporate entity to the longer term rights / expectations of its other stakeholders including society as a whole.

 Comprehensive Corroboration of Critical Controls – We focus far too much time and energy on the narrow statutory audit and the calculation of capital. Look how much time went into Basel 2 and look how much money was spent on auditing the big banks. Frankly, for all the £millions spent, audit and capital calculation the public has not been provided with much, if any, value....And, audit does not seem to deal in any meaningful way with the many of the risks and issues that really matter....and yet key stakeholders seem to rely on it to do so. Audit also suffers from the inherent conflict of “he who pay the piper calls the tune” which means they are do everything they can to avoid challenging their clients because of the risk of losing the audit fee. I was a Partner at KPMG and have seen this first hand myself.

If, for example, the design or implementation of risk management or compliance policies are crucial to maintaining financial stability of a bank (and they are!), then there needs to be a proper mechanism annually to corroborate (independently check and confirm) and report that they are indeed working both from a design perspective and are indeed being implemented...

For example, if you look at the losses on the corporate loan book of HBOS (i.e. Bank of Scotland) they raise very serious questions either as to the actual design of the credit risk policies (were they fit for purpose?) or to their actual implementation (were the policies followed).

I have always said that you can analyse the calculation of bank capital until the cows come home but it will never save a bank from the fundamental conduct of business or control failures that we have seen over the years from BCCI, Barings, Morgan Grenfell (cost Deutch Bank £800m – regulatory capital a fraction of that), Soc Gen or the banking crisis itself.

If you would find it useful in your analysis I am happy to send you all the other key documents I have written as well as to explain in person to you the crucial nature of my policy input. I think meeting in person would be helpful rather than just reading the documents.

Although I believe that the points I make above are far more important in maintaining stability than structural change, I do also have a rather simplistic policy view about the central policy question which seems to be the one on which everyone is focusing their attention relating to the separation of “casino” and “ordinary” banking. My view is this – if the activity concerned is not actually banking business (providing capital to businesses or individuals in return for payment of fees or interest or both), it should not be permitted to carry that activity out under a banking licence....The motto I have sometimes used is this “Take the betting out of the banking”. In saying this I am not suggesting that a holding company could not own both a bank doing banking business and a corporate entity doing “betting business” but the two activities would need to be underpinned by hypothecated capital and different regulatory regimes – after all the risk appetite relating to one activity is completely different to the other.

I also have views on auditing, the regulatory position and the treatment of rating agencies.

Please let me know if I can be of any help in your review.

Kind regards

Paul Moore

Tel: +44 (0)1347 86 87 86 Mob: +44(0) 7768 69 59 19 [email protected] www.moorecarter.co.uk

This email and any files transmitted with it are confidential. Copyright is owned by Moore, Carter & Associates. If you are not the intended recipient, please notify us immediately, destroy copies and delete it from your computer system. We have taken reasonable precautions to ensure any attachments have been swept for viruses but we cannot accept any liability for any loss or damage sustained as a result of viruses. Please also note that emails can be falsified. In circumstances where the content of this email is important, you should not rely on its integrity without checking by telephone or fax.