In-house counsel tasked with managing legal risk have interesting times ahead, with the new European Banking Authority rules set to strain resources and potentially force a review of legal risk categories and risk models

Draft rules published by the European Banking Authority (EBA) in June 2014 would require European banks to quantify broadly defined legal risks as part of their regulatory capital calculations. They will force in-house teams to redraw risk management plans, but may help banks manage the massive costs of conduct breaches – an average of over £50bn a year for ten international banks between 2008 and 2013.

The rules, which could be phased in as early as 2016 as part of the Basel III implementation plan, would extend the scope of legal risk to include what many banks see as conduct risk – a significant change, as many organisations treat these risks as separate categories.

The European banking community raised points around the form of loss and scope of the definition in their September 2014 response. But it would be no surprise if the final rules were to enshrine the idea that conduct issues be included in the scope of legal risk.

The legacy of mis-selling scandals and tighter capital requirements

The rules (Article 312 of Regulation (EU) No 575/2013) extend the scope of legal risk and attempt to formalise the way in which legal risk losses will be captured.

Draft rules focus on the technical detail of how AMAs (Advanced Measurement Approaches) apply to own-funds calculations and capital requirements. They are part of a swathe of regulations that include Basel II – the first to define legal risk as a specific category of risk – aimed at tightening banks' capital requirements.

The EBA appears to want to make sure that legal-risk losses are included in regulatory capital calculations. Article 4.1 states, with emphasis added, "operational risk events related to legal risk, and the related losses, shall be included within the scope of operational risk for the purpose of calculating the AMA [Advanced Measurement Approaches] regulatory capital".

New definition means more work for in-house teams

The EBA definition of 'legal risk' runs as follows:

"the risk of being sued or being the subject of a claim or legal proceedings due to non-compliance with legal or statutory responsibilities and/or to inaccurately drafted contracts. It also includes the exposure to newly enacted laws as well as to changes in interpretations of existing laws."

The draft rules extend this to include "events triggered by legal settlements", and, crucially "events related to decisions made by an internal competent decision-maker but breaching legislative or regulatory rules, internal rules or ethical conduct". The rules go on to mention specific "operational risk events" that seem informed by recent history:

• Aggressive selling.
• Interpretations of legislative or regulatory rules which prove to be against industry practice.
• Refunds to customers.

Whatever the final form of the new rules, there are two reasons why they are likely to mean extra work and uncertainty for in-house counsel.

Firstly, many banks treat conduct risks separately from legal risks. Making the former a subset of the latter will mean a shake-up of risk models and risk functions.

Secondly, the EBA rules will require legal departments to take a proactive approach to risk modelling and quantification. You will need to consider how your business operations interact with legal standards, and quantify expected and potential losses from circumstances where that interaction may fall outside the letter or the spirit of the law.

Banks must incorporate conduct risk into their legal risk framework

If conduct risk becomes part of legal risk, in-house counsel must be able to incorporate it into their legal risk framework, and be comfortable in their ability to quantify and manage it.

Many conduct issues are the result of poor understanding, or a lack of awareness, of how legal standards (law and regulation) apply to business operations, products and services. In-house legal teams are ideally placed to advise on how operating practices may fall outside of legal standards.

The EBA rules highlight the risks of aggressive selling, misinterpretation of legislative or regulatory rules, and mass refunds to customers as examples of lega risk related events that must be factored into regulatory capital calculations.

And the scope of regulator concern is increasingly clear. Regulators expect firms to trade in goods or services that have a clear value for the customer. And in the case of retail financial services, to check in advance whether customers will get a net benefit from buying the product.

Get the basics in place ahead of tight regulatory deadlines

It's hard to predict when new regulations will have to be in place, and the exact requirements of the new rules. But you can be certain that the regulators are turning a one-way ratchet: rules and reporting requirements will only get tighter.

In-house teams can put the basics in place now. Take this opportunity to be more proactive in your approach to legal risk management. This will help you meet current regulations more efficiently, and make future changes easier to deal with.

We recommend that in-house teams focus on four themes:

1. Build a legal-risk management framework. The goal is a consistent, robust framework that will help you identify legal risks, and that highlights those legal risks that relate to ethical culture and conduct.
2. Analyse the financial impact of getting legal risk management wrong. Implement scenario analysis to estimate expected and potential losses, and reduce heuristics in risk impact estimates.
3. Crunch the numbers. Aggregate loss data into meaningful categories and reports, and define your appetite for legal risk.
4. Put basic measures in place. Test for awareness of legal risk and decide how to identify and monitor key risk-indicators. Use data to educate and support frontline staff; help them take the right decisions and minimise future losses.

Matthew Whalley is head of the legal risk consultancy at Berwin Leighton Paisner. For more on implement effective legal risk management, click here.