Basel III: Solving the Financial Crisis One Packet at a Time

Over the past three years policy-makers, bankers and financial sector regulators have engaged in a very public blame game about the global economic crisis. Despite appearances, this row has been about understanding the past in order to assure a more resilient future. Recent events have accentuated the importance of future proofing the global financial system. This week, the unprecedented bearishness of global financial markets suggests that we have arrived at the mother of all watershed moments – against a backdrop of sovereign debt, which has left pillars of western civilisation with little more than a fig leaf to preserve their dignity. And the contagion is fast spreading across the eurozone. Of course this is compounded by challenges in the US, where high risk power-plays and partisan brinkmanship on Capitol Hill, and a downgrade by a single credit rating agency have undermined confidence.

Clearly the immediate task of steering the global economy back to black must take precedence over all else. While answers are sought it is equally important to find a way to ensure that no one within banking governance or with authority over bank, market operation or supervision can ever again bury their heads in the sand while overwhelming risks build up around them.

IP Networks Play a Pivotal Role

As these events propel us toward the eye of the storm, fresh approaches in the management of future risk are vital to preserve the western economy and way of life. That is why the Basel III banking regulatory standard for capital adequacy and liquidity was recently adopted by the G20. However, another pillar of the global financial market demands at least as much attention if we are to more effectively process the enormous and increasing volumes of risk related data to effectively proactively and pre-emptively reduce future risk to global finance.

Since the ‘big bang’ every aspect of the global financial system has become reliant on networks using the internet protocol (IP) and the flow of electronically captured information packets that contain complete details of every information interaction. As IP networking stretches across even more forms of electronic interaction (such as mobile computing), the central role which IP-packets play is becoming more important. This technology underpins some of the most powerful network monitoring techniques. Its pivotal role in banking systems means that it can be harnessed to deliver system-inherent risk mitigation and market surveillance solutions.

What is DPI?

One monitoring technique which can be harnessed for this purpose is deep packet inspection (DPI). Originally developed to display packet-level detail for issues detected in the monitoring of application response times, DPI solutions provide highly efficient real-time packet filtering. They also enable the capture of the content within packets for retrospective analysis and transaction playback. Because of these capabilities an effective DPI is able to maintain full visibility into any IP-based network.

Why is this Relevant?

DPI also enables packet network equipment, which is not at the endpoint of an information interaction, to use the contents of packets for applications such as advanced security, data mining, eavesdropping and censorship. One interesting but somewhat controversial use is the practice of packet flow control employed by some internet service providers (ISPs) despite the network neutrality principle of no restrictions on consumers’ access to networks that participate in the internet. In a long-running and very public argument a number of ISPs are seeking to extend the use of DPI to make content providers and online businesses pay for packet prioritisation and access to an information expressway for competitive edge. There are of course many less controversial uses of the technology; in fact several financial institutions owe much of the optimal baseline performance of IT networks to DPI.

How Can DPI Be Applied to Help Solve the Financial Crisis?

Before the crash of 2008 there were many warning signs. However, they were considered by almost all industry stakeholders to be discreet, siloed, unconnected and inconsequential. In hindsight it is clear that if analysed as an aggregated risk they would clearly have indicated a major compound risk. Despite the lack of automated risk aggreagation and correlation a few very smart individuals did understand the hidden danger of these disparate risks and realised there was a great deal more beneath the surface which could precipitate systemic collapse. For example, three years before the crash Nouriel Roubini – an economics professor and US policy advisor – drew attention to many of the root causes and made loud noises about the possible consequences. His evidence correlation and astute analysis illustrated the high probability of catastrophic collapse but he was ignored by the financial community, became something of a pariah, and was dubbed ‘Dr Doom’.

Both real-time packet inspection and retrospective analysis can play a pivotal role in early warning systems for banks. Had there been packet-based system-inherent risk radars automatically gathering, correlating, processing and analysing a steady stream of packets against risk thresholds within individual banks, a compelling chain of evidence supporting theories about the level of compound risk would have been available to bank supervisors and regulators.

In addition, once the imminence of crisis became obvious, policymakers and stakeholders could have been armed with deep insights from comprehensive retrospective analysis about transactional types, volumes, and exposures and would have been able to grasp the significance of key factors in a more timely manner. The unprecedented levels of transactional and related risk visibility made possible by DPI derived solutions could have helped avert the devastation.

Basel III – Audits, Forensics and DPI

Difficult lessons have been learned. The recently published US Financial Crisis Inquiry Commission (FCIC) report cited widespread failures in regulation, dramatic breakdowns in corporate governance, excessive borrowing and risk-taking and policy makers who were ill prepared for the crisis or systemic breaches in accountability and ethics at all levels. The root causes cited in the FCIC report are not unique to the US economy. They are in fact at the heart of the global crisis. After much deliberation European policy-makers are ready with far more comprehensive checks and balances, which better equip and (hopefully) prepare both financial institutions and regulators to take more decisive preventative action should a similar set of threats re-emerge in future.

Despite loud protestations from a handful of erstwile powerbrokers within the financial services sector who believe the crash was unavoidable, the Basel III banking regulatory standard for capital adequacy and liquidity was recently adopted by the G20. Basel III is targeted at assuring confident and competent management of both macroeconomic and microeconomic (individual bank) risk factors. One of the Basel III key provisions for the mitigation of microeconomic risk is a strengthened requirement for the Internal Capital Adequacy Assessment Process (ICAAP) – which mandates board-level self-assessment of solvency for all banks. This provision also places the onus for internal regular audits of the ICAAP on the boards of the individual banks. Crucially both self-assessments and ICAAP audits are subject to rigorous review by banking industry supervisors.

The ICAAP challenge is well beyond human scale, however comprehensive long-term packet capture and analysis would provide a highly effective ‘black box’ for ICAAP compliance and audit purposes. The use of the technology as an in-flight recorder for all transactions would enable reassembly of packet streams to investigate policy violations retrospectively and reshape evidential reconstruction to enable both audits and incident handling.

Enabling Even More Comprehensive Risk Radar

The financial crisis proved beyond any doubt that the devastating effect of risk interdependence cannot be dismissed. In fact under Basel III unless a bank is in a position to show adequate provision in catching any kind of early-warning signals they will be required to increase buffer amounts to guarantee capital adequacy and liquidity as laid out in the accord. As a result banks will need to demonstrate adequate monitoring of their entire transactional environments.

What’s required is a comprehensive next-generation approach to minimise risk, improve service quality and predictability, and optimise operational efficiency. By visualising and analysing infrastructure domains, applications and transactions together financial institutions will be better equipped to pinpoint, prioritise and resolve risk across all aspects of the complex IT dependent environments which they are now wholly reliant upon.

Any such solution should unlock intelligence needed to quantify network and application performance across an entire organisation with end-to-end application response time monitoring, network traffic analysis, device performance management, long-term packet capture and analysis. It should also scale across multiple dimensions. That means accommodating billions of transactions and millions of devices across the world’s largest networks to enable co-ordination of data collection and analytics to handle the complexity and capitalise on the extraordinary insights acquired through continuous monitoring.


Related reading