Managing Risk and Complexity: Legal Entity Identifier

After Lehman’s demise, participants in the global financial system could not assess their exposure to Lehman, its subsidiaries, and each other because there was no standard system for identifying counterparties in the maze of subsidiaries and affiliates from which banks, insurers, asset managers, and other market participants transact.McKinsey & Company, The Legal Entity Identifier, October 2017

Prior to the financial crisis, even an informed observer might have naïvely believed that the CEOs of big financial firms could simply push a button to view the current exposure of their firms to any other firms in the world. Or, if less technologically advanced, they could call their chief risk officers or chief financial officers to obtain end-of-day positions.

Not even close. By the time that Lehman failed in September 2008, large financial holding companies had evolved into extremely complex structures with hundreds or thousands of subsidiaries for which the parent companies lacked consolidated information technology and risk-management systems. This ill-informed state reflected the use of legacy systems following long histories of mergers, combined with legal maneuvers to reduce tax liability and isolate losses in one part of a business from other parts. The multiplicity of information systems meant that different parts of the same firm employed varying names and codes to identify the same counterparty. In some cases, even the same division of a firm failed to consolidate systems (see the discussion here). Fixing this, merging all of the information structures and ensuring consistency, would have been an expensive proposition that managers (compensated out of current profits) had incentive to delay.

When Lehman Brothers Holdings collapsed in September 2008, it had as many as eight thousand subsidiaries operating across an array of jurisdictions around the globe (see Kapur, 2015, page 188, citing Harvey Miller, lead attorney for the Lehman Bankruptcy filing). Not only that, but other large financial intermediaries had hundreds, and in some cases thousands of subsidiaries, as well. The chart below shows the number of subsidiaries of those U.S. financial holding companies with the largest volume of assets at the end of 2016.

Top financial holding companies: number of subsidiaries, 2006 and 2016

 Notes: The firms are ranked by their number of subsidiaries in 2006. The BK 2016 number increased at least in part as a consequence of a mid-2007 merger. Source: Courtesy of    Nicola Cetorelli   , FRB New York, from the    National Information Center    FR Y-10.

 Notes: The firms are ranked by their number of subsidiaries in 2006. The BK 2016 number increased at least in part as a consequence of a mid-2007 merger. Source: Courtesy of Nicola Cetorelli, FRB New York, from the National Information Center FR Y-10.

What do these large numbers imply? Consider just one example: the potential bilateral relationships before the crisis between any of Morgan Stanley’s roughly 3,500 subsidiaries and Lehman’s 8,000. Determining the consolidated exposure of Morgan Stanley to Lehman then required aggregating (summing and netting) positions resulting from what could in principle have been millions of bilateral relationships, each identified using a different protocol. Unsurprisingly, it took quite some time for Lehman’s counterparties to calculate their exposure to the consolidated entity.

Large firms were not the only organizations unable to compute (let alone manage) their consolidated risk exposures in a timely way. For the authorities, identifying vulnerabilities and estimating systemic risk—creating a global risk map—was beyond anyone’s capacity (even if someone had thought of trying).

Correcting these deficiencies in the financial infrastructure is not a trivial matter. Simplifying the problem requires the creation of a unique, universal, and permanent identification system for both institutions (financial and nonfinancial) and instruments. For firms, this would be analogous to international banking account numbers (IBAN) or SWIFT codes for all legal entities, not just banks or their subsidiaries. For instruments, this would be akin to a global version of CUSIP numbers for all financial instruments, not just securities. If we had both of these, it would be possible in principle to map the exposures across the global financial network, and to identify nodes of risk concentration and vulnerability.

Before turning to legal entity identifiers, it is worth saying a few words about instrument identification. In 2009, Bloomberg created the Financial Instrument Global Identifier (FIGI). As far as we can tell, the FIGI is currently used for securities. While this is certainly progress, it does not go far enough. In our textbook, we define a financial instrument as a written legal obligation of one party to transfer something of value, usually money, to another party at some future date, under specified conditions. Examples include not just equities, bonds, and derivatives, but bank loans, securities financings, and insurance contracts. To compute bilateral financial exposures, the building blocks of a systemic risk map, we need to identify not only the counterparties to a transaction, but the nature of the obligation itself. This means having a FIGI that is comprehensive across instruments and jurisdictions.

How can we simplify the problem of entity identification? Returning to the example of Morgan Stanley’s exposure to Lehman, imagine that each of their 3,500 and 8,000 subsidiaries has a bilateral relationship with each of the others. That is, there are 3,500 x 8,000 = 28,000,000 bilateral exposures of one sort or another. Now, assume that each of these 11,000 entities uses a completely different naming convention for storing the counterparty of its transactions. That is, each of the Morgan Stanley subsidiaries gives each of the Lehman subsidiaries a different name. And, similarly for Lehman. The result would be 28 million different combinations of the two names. If, instead, each of the 11,000 subsidiaries had a unique name, and that these names were associated with the parent, then things would become quite simple: consolidation would lead quickly to one set of 2 names.

Realizing the nature of the opportunity and the challenge, in November 2011, the G20 called for the creation of a global legal entity identifier (LEI). Importantly, everyone realized that given the massive size of the financial system that supports both domestic and cross-border activity, the solution had to be global. That is, we need a system that allows everyone to identify both those entities within their own country and those entities outside. (For pioneering analyses, see work by the Federal Reserve and the Office of Financial Research. For up-to-date information on the LEI, see here.)

Following several years of work by global authorities, in June 2014, the Financial Stability Board created the Global Legal Entity Identifier Foundation (GLEIF). (A description of how this came about is available here.) Each LEI is a 20-digit number that is attached to a set of reference data. The information is designed to allow anyone to answer two essential questions:

  1. Who is who?
  2. Who owns whom?

Why do we need to know? Start with what happens when two banks merge. For example, over the past 30 years or so, more than 40 banks combined to become what we know today as the Bank of America (see the diagram here). Many of these legacy institutions had business customers in common and independent knowledge of them. Consolidating that information would surely have been useful in evaluating how to manage the ongoing bank relationship. Should a customer’s new loan application be approved? Is it worthwhile to market additional products to a particular customer? Tax identifiers (such as Social Security numbers) make this a straightforward process for individuals. For complex firms with multiple subsidiaries, it requires a common identification system, like the LEI.

Knowing who is who—verifying that information in disparate databases applies to the same entity—also is critical for satisfying Know Your Customer (KYC) requirements, a legal prerequisite in most countries for establishing a new client relationship. If LEIs were widely used, the cost of complying with KYC regulations (as well the related anti-money laundering rules) would be far lower.

Knowing who owns whom directly addresses the problem that surfaced when Lehman failed. That is, with an LEI, firms can compute their exposure to a consolidated entity. As noted in a recent McKinsey report, banks also can use the LEI to aggregate and reconcile trade information, reducing operational risk. Having the subsidiary tree of a larger entity helps with a variety of other things, too. For example, if the parent offers to pledge a subsidiary’s assets as collateral for a loan, the lender can verify that the relationship is genuine. (For a detailed discussion of the commercial benefits of the LEI, see here.) Finally, together with appropriate financial information, LEI-based consolidation allows the authorities to construct a network map of risk concentrations.

What will determine the success of the LEI initiative? The answer is the breadth of use. Like a currency, a language, or a communications device, the LEI is characterized by a network externality: the more people that use it, the more valuable its use becomes. The challenge is that, initially, the benefits are very small. And, while the direct cost of registering an LEI is trivial―$75 initially and $50 for an annual renewal―the one-time fixed cost of updating IT systems is not small. If everyone delays paying this fixed cost, we get stuck in the low-benefit state of the world with few users of LEIs. However, if everyone pays the individual cost, the combined net savings could be high.

Some financial firms are well aware of the cost savings associated with a universal identification system. The Office of Financial Research has pointed to estimates of the costs of operating without common data standards in the billions of dollars. As a result, some in the financial industry asked regulators to require them to register. Not only would this reduce their cost of managing relationships with other financial sector firms, but it would make it easier for them to require their nonfinancial customers to do the same (see the discussion here).

So where do we stand? The identification system has advanced substantially. There is now broad acceptance of the need for both legal entity identifiers and financial instrument identifiers. And, the U.S. Commodity Futures Trading Commission and the European Securities and Market Authority have required counterparties in derivatives transactions to report LEIs. As of this writing, 683,040 LEIs have been issued.

The challenge is to ensure that this number rises substantially, eventually including virtually every firm that is eligible worldwide. However, in the absence of collective action, the risk is that the transition to a universal identifier system will stall. Because such identifiers are common goods with network effects―everyone benefits if everyone uses them―there is an incentive to postpone the one-time cost of IT upgrades until so many other firms have done so that making the investment pays off quickly. The solution is for authorities to require participation by some specified date either through regulation or legislation. And, since so many financial and nonfinancial institutions operate in multiple jurisdictions, this coordinated solution has to be a global one.

This leads to our bottom line: building on the successful creation of the LEI, the 25 member jurisdictions of the Financial Stability Board should do two things. First, they should agree to require the LEI as a prerequisite for a financial or nonfinancial business greater than a minimum size to engage in any financial transaction in their jurisdiction. In the United States, for example, other financial regulators should follow the CFTC’s lead in this regard. Second, the FSB members should implement a complementary system of financial instrument identification. Only then, once both systems are in place, will the private and public sector be able to track exposures in a low-cost, timely manner that allows them to manage risk efficiently.