JPMorgan Chase & Co. Chief Executive Officer Jamie Dimon has pledged billions of dollars to improve compliance and cybersecurity. That's not stopping regulators from treating the bank as if it were riskier than ever.
The firm's operational risk-weighted assets, a measure devised by regulators that determines how much capital the bank needs to hold against potential losses from human error, external threats, fraud and litigation, rose 6.7 percent in the second quarter to $400 billion, according to an August filing. Regulators can point to $23 billion of legal settlements last year and a cyber-attack discovered last month as they push JPMorgan to boost its buffer against unforeseen losses.
Wall Street firms including Citigroup Inc. and Bank of America Corp. that together racked up more than $100 billion in post-financial crisis legal costs are facing similar pressures. At JPMorgan, the largest U.S. bank, that means more than $35 billion that can't be used for dividends or buybacks, prompting Dimon to call it "stranded capital."
"Banks are saying, 'We've made huge investments in technology and compliance personnel and we aren't getting credit for it,'" said Justin Fuller, a senior director at Fitch Ratings in Chicago. "At the same time, the only verifiable data points are these huge litigation costs they've just had, and it's hard to ignore those."
JPMorgan will spend an additional $2 billion from 2012 through the end of this year on improving controls, with an annual $250 million on cybersecurity, Dimon said in his annual shareholder letter in April. The New York-based firm also cut ties with potentially risky clients, including 500 foreign banks, and sold or shuttered businesses exposed to regulatory scrutiny such as physical commodities.
Chief Financial Officer Marianne Lake said in January that she hoped to convince regulators that the calculation, using historical data to forecast future costs, was unfair because it didn't reflect the bank's current level of safety. The models are "backward looking" and show heightened risk for five to 10 years after settlements, she said.
"It's our belief that this firm is not exposed today or will not be exposed going forward to those levels of risk at anywhere near that scale," Lake said. The bank is "working very hard with the industry to try and figure out how to better model changes in the business environment."
Regulators' concerns haven't prevented JPMorgan's stock from generating a return of 111 percent, including reinvested dividends, since the start of 2009, the most among the four biggest U.S. banks. The cost of insuring its debt against default has fallen by more than half in the past two years.
Operational risk entered the global regulatory debate after the 1995 collapse of U.K. bank Barings Plc following a rogue trader's losing bets on derivatives. When the Basel Committee on Banking Supervision revised its rules in 2004, operational hazard was included among the three categories banks must use to calculate capital needs. The other two, credit and market risks, measure what portion of loans a bank has made that can sour and how much it can lose when markets fluctuate.
Under Basel II guidelines, banks had wide leeway in how they calculated possible losses for operational mistakes using their own internal models. When the Basel committee revised the rules after the 2008 financial crisis, policy makers tightened the calculations, requiring past losses be taken into account and increasing the power of regulators to demand changes.
After a $6.2 billion loss in 2012 by a JPMorgan trader known as the London Whale, U.S. regulators became more aggressive in making sure banks' internal models were appropriately measuring the operational hazards firms face. The push has been accelerated by legal disputes involving mortgage lending during the housing boom, alleged market-rigging and sanctions violations.
"One of the central lessons coming out of the financial crisis was that supervisory expectations for risk management" needs to be much higher, Thomas Curry, the U.S. Comptroller of the Currency, said in May. He previously said that operational risk is the biggest safety concern for banks, citing threats including cyber-attacks and failure to comply with anti-money- laundering rules.
JPMorgan was among at least five banks targeted in a coordinated attack on financial institutions in recent weeks, a U.S. official said last week. The assault led to the theft of customer data that could be used to drain accounts, according to another person briefed by U.S. law enforcement. JPMorgan said last week that it hadn't seen unusual fraud levels and that it's bolstering its defenses against hacking.
Operational risk also encompasses potential damage to a bank's reputation. That can manifest itself in loss of business if a firm's reputation is sullied, or in costs to protect its brand. Banks faced losses from rescuing internal hedge funds during the financial crisis in order to prevent the reputational harm that would result from their failure.
JPMorgan's operational risk-weighted assets, or RWAs, rose by $25 billion in the second quarter, after "regulatory guidance," accounting for a larger slice of the firm's risk profile, the filing shows. The $400 billion of such assets is 24 percent of the company's total, up from 6 percent in 2010.
The bank would be required to maintain a common-equity capital ratio of 9.5 percent of RWAs when taking into account surcharges proposed by the Financial Stability Board for systemically important institutions. The $400 billion of operational RWAs translates to about $38 billion of capital, more than twice what JPMorgan has to hold for market volatility.
Operational risk exists in all parts of the bank and can manifest itself in fraud, business interruptions and the inappropriate behavior of employees and vendors, JPMorgan said in the filing. The bank projects its total RWAs of $1.62 trillion will drop to $1.5 trillion at the end of 2015 as credit and market risks decline.
"It's a kind of penalty -- if you're the biggest bank in the land, you'll have the largest operational risk," said Mark Williams, a former Federal Reserve bank examiner who teaches risk management at Boston University. "Regulators are using a rearview-mirror approach and have failed to take into account the banks' learning curve. Just because you have a risk doesn't mean you'll have a loss."
Dimon, 58, settled a litany of disputes last year, including government probes of mortgage-bond sales tied to the housing bubble, energy trading and oversight of services provided to Ponzi-scheme operator Bernard Madoff.
Bank of America said a $26 billion increase in its total RWAs as of June 30 was driven by an increase in operational risk-weighted assets. About 26 percent of its total is tied to operational risk, meaning the Charlotte, North Carolina-based bank had more than $330 billion of such assets.
Citigroup said it was forced by the Fed to add $56 billion to its operational RWAs earlier this year, which reduced its capital-ratio target, citing the "the overall operating environment for the banking industry." The New York-based company had $288 billion of such assets as of June 30, or 23 percent of its total, up from $177 billion in the third quarter of 2013. Goldman Sachs Group Inc. had $93.8 billion of operational risk-weighted assets at the end of June, 16 percent of its total.
Credit Suisse Group AG, Switzerland's second-largest bank, said in February that its regulator ordered the firm to boost its operational RWAs by $6 billion to 53.1 billion Swiss francs ($58 billion). UBS AG, the country's largest lender, was ordered to bolster its figure by more than 27 billion francs before the regulator agreed to use a different way to assess risks, leading to a 22.5 billion-franc increase.
Spokesmen for all the banks, the OCC and the Federal Reserve declined to comment on regulatory matters.
"For the biggest banks, operational risk-weighted assets have gone up a lot and will continue to rise," Fitch's Fuller said. "It's hard to see that trend changing anytime soon."