How July became the month to give us a timely reminder about the perils of concentration risk CeFPro Managing Director, Andreas Simou, looks at how three distinctly different global events in July have conspired to remind us that risk management is always evolving
MANAGING CONCENTRATION RISK IN MULTILAYERED ORGANIZATIONS
In a month when the Microsoft IT outage highlighted the significance of concentration risk, we look at the case for a multilayered approach to risk management
With insight from Gemma Stewart, Global Head of Vendor Management (TPRM) at Zurich Insurance Company Ltd 6
THE YIN AND YANG OF THIRD PARTY RISK MANAGEMENT AND OPERATIONAL RESILIENCE
In a time of increasing dependency on AI, how does the financial services industry tackle the thorny issue of ethical use around data protection and machine learning?
Charles Forde, COO, Global Markets and Investment Banking, Nomura
STRENGTHENING OPERATIONAL RESILIENCE – IN SEARCH OF TPRM UNITY
As the Basel Committee on Banking Supervision (BCBS) moves to address TPRM dependency in the sector, is a unified global approach really achievable?
With insight from Rosalyn Aryee, Head of Outsourcing & TPRM and Operational Resilience at Santander Corporate & Investment Banking
DORA THE ENFORCER – WHAT DO THE EU’S NEW REGULATIONS MEAN FOR THE UK?
The EU’s new Digital Operational Resilience Act (DORA) represents a significant regulatory milestone – but what will it mean for UK businesses with European interests?
With insight from Gerard Doyle, EMEA Head of Third Party Management and Procurement at SMBC Group
DO WE NEED TO TALK ABOUT SEXUAL HARASSMENT IN THE WORKPLACE?
Risk has taken on a new focus through ESG and EDI. This year, sexual harassment will join the conversation. What does that mean for us?
Heeral Gudka, Principal Consultant and Founder at Convergent
MANAGING INTERCONNECTED RISK IN A TECHNOLOGY-RICH FUTURE
As the risk environment evolves and becomes more complex, is it time for a more holistic approach to managing exposure?
Q&A with Sabeena Ahmed Liconte, Chief Compliance Officer, Americas at ICBC Standard Bank Group
BANKING AI - SAFETY, SECURITY, AND ETHICAL USE
In a time of increasing dependency on AI, how does the financial services industry tackle the thorny issue of ethical use around data protection and machine learning?
With insight from Chris Smigielski, Director of Model Risk Management at Arvest Bank
THE EVOLUTION OF FRAUD RISKS AND PREVENTION TACTICS IN THE AGE OF AI
How do fraud prevention teams approach the challenge of preventative technology that can also be turned against them?
With insight from Tibor Bartels, Managing Director / Head of Transaction Services Americas at ING
EMERGING TECHNOLOGIES AND FINANCIAL CRIME – THE TAX PERSPECTIVE
With financial crime becoming increasingly sophisticated, HMRC is leading the way on a collaborative approach to prevention
Insight from Kevin Newe, Assistant Director and the Illicit Finance Threats lead at His Majesty’s Revenue & Customs
MANAGING LIQUIDITY RISK IN TODAY’S BANKING ENVIRONMENT
In a fast-changing banking environment and a volatile economic climate, what does the future hold for our liquidity risk managers?
With insight from Ian Broff, VP and Head of Bank Financial Risk at USAA Federal Savings Bank
Written by the industry, for the industry
The views and opinions expressed in this publication are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.
How July became the month to give us a timely reminder about the perils of concentration risk
Andreas Simou Managing Director CeFPro
This edition of iNFRont arrives at what is, in many ways, a seismic moment for the risk management community globally.
Together, the change of government in the UK, the global Microsoft IT outage, and the sudden if not altogether surprising decision by Joe Biden to hand the Presidential election torch to Kamala Harris, serve to remind us all that nothing in our world is certain.
The aftershock from these very individual and unique moments has profound implications across technology, geopolitical stability, and regulatory landscapes. The Microsoft outage underscored the vulnerability of critical infrastructure and cloud services, and opened up fresh debate on best practice in third party –and, technically, fourth party – risk management (and you can read more on this in the pages that follow this foreword).
Joe Biden’s decision to remove himself from the race to the White House introduces significant political uncertainty affecting global markets and geopolitical challenges, which are so prevalent for risk professionals at present. Leadership transitions can lead to volatility in financial markets, impacting investment decisions, asset valuations, and regulatory frameworks.
Who is Kamala Harris and how would her policies differ from Biden’s? And that aside, how likely is she to defeat Donald Trump? The August edition of this magazine will explore in more detail how Harris’ arrival on the Democrat ticket will affect the work we do within the risk management space.
Finally, the UK general election represents a pivotal moment in regulatory risk for financial services. Electoral outcomes often influence regulatory policies, economic strategies, and market conditions, and we all need to be ready to adapt swiftly to whatever regulatory changes may be in the wind.
Together, though, these events underscore the interconnectedness of technology, geopolitics, and regulatory environments in shaping financial services risk management. If nothing else, they remind us that we live in interesting and uncertain times, which unlikely to change any time soon, in fact may be less certain and possibly volatile.
I hope you enjoy this edition of iNFRont.
We welcome contributions. If you or your organization are interested in featuring in our next issue, please contact infront@cefpro.com
CONTENT AND AUTHOR SUBMISSIONS infront@cefpro.com
ADVERTISING & BUSINESS DEVELOPMENT
If you are interested in sponsorship and advertising opportunities, please contact: sales@cefpro.com
www.cefpro.com
Managing concentration risk in multilayered organizations: strategies and insights
Alongside Joe Biden’s surprise decision to hand the baton onto Kamala Harris in the Democrats’ bid to hold onto the White House, the other story from the last couple of weeks that will have given risk professionals pause for thought is the CrowdStrike failure that brought the world to its technological knees.
The latter event was near cataclysmic for any organization whose business continuity and resilience was dependent to any significant degree on Microsoft systems, and its global aftershock was, if nothing else, a timely reminder of how seismic concentration risk can be.
In today’s interconnected and volatile world, managing concentration risk has become paramount for organizations, especially those operating across multiple jurisdictions.
The meltdown of IT services for banks, airlines and other key industries demonstrated, perhaps, just how important it is for the Third Party risk management functions to take a proactive approach to identifying and then mitigating risk where there’s a concentration and over-dependency on a key single service provider.
Understanding concentration risk across sectors
More broadly, concentration risk is a universal concern across industries, whether in manufacturing, logistics, or financial services.
It fundamentally involves the risk associated with having too many services or dependencies
This article is based on an interview with Gemma Stewart, Global Head of Vendor Management (TPRM) at Zurich Insurance Company. She joined Zurich in 2003 and has held multiple roles within the company. She started her career at Capita McLarens.
concentrated in one location or with one third party. Natural disasters, geopolitical events, or other disruptions in these concentrated areas can significantly impact the supply chain and business operations.
In the third-party space, the supply chain is a critical area where concentration risk needs to be vigilantly monitored. A natural catastrophe or a geopolitical event in a single location could disrupt the entire supply chain, affecting business continuity. Therefore, business resilience becomes a crucial aspect of managing concentration risk.
This principle remains consistent across various industries, underscoring the need for proactive risk mitigation strategies.
Methodologies for identifying concentration risk
Gemma Stewart, who heads up the global third party risk management function at Zurich Insurance, believes any approach to concentration risk management needs to be rooted in data.
“When we’re starting to work with a new third party, we’re obviously going to look at what services are being provided, whether those are critical to us, and where they’re going to be located,” she says. “Are they in multiple service locations? What have we already got in those locations?
“You need to consider whether that increases the concentration beyond breaking point in a certain
location, and you’d then start your business resilience planning around those locations or services. So you’d have a think about onboarding, continuous monitoring.”
Significantly, in terms of the CrowdStrike issue, Stewart recognizes that not all concentration risk is geographical.
“You may have all of your services with one particular third party that also represents a concentration risk, so you need to have a think about different types of concentration and what the impact of that will be to your company [if things go wrong].”
Continuous monitoring is another key strategy. Utilizing risk monitoring solutions and setting up alerts for natural catastrophes or geopolitical events can provide early warnings.
This proactive approach enables organizations to start business resilience planning promptly. Regular risk assessments, recommended at least every six months or even quarterly, ensure that concentration levels are continuously evaluated and managed effectively.
It’s also important to recognize that concentration risk is not solely geographical. Having all services with one third party poses a significant risk as well. Diversifying service providers and locations can mitigate these risks, ensuring that disruptions in one area do not cripple the entire operation.
Reactive measures to unforeseen events
While proactive measures are crucial, some events, such as the war in Ukraine or Middle Eastern turbulence, are unpredictable and require reactive strategies.
When such events occur, organizations need to leverage existing data to quickly assess the impact on their supply chains and services. This involves identifying critical services from affected locations and implementing business resilience plans.
“If you don’t know that’s coming at the point of the onboarding concentration assessment, it probably won’t flag as a high risk,” says Stewart. “So you tend to have to have more of a reactive approach. But the data then is really key to make sure you can react very
quickly and appropriately to whatever is going on.”
Options include relocating services to different locations, migrating to alternative third parties, or bringing services in-house if feasible. The ability to react swiftly and efficiently depends heavily on having up-todate and comprehensive data.
Key considerations for managing concentration risk
When prioritizing risks, concentration risk is significant due to its broad impact on business resilience and data security. Stewart says having a multi-layered approach to risk management is key, since concentration risk intersects with other risk domains, such as data security.
Data plays a pivotal role in managing concentration risk. For financial institutions, a centralized, group-led mandate to collect and maintain data around critical third-party services is essential, and Stewart cites the creation of a global inventory that is not partitioned by country as being a strategically sound approach in managing that risk.
This approach ensures comprehensive visibility and facilitates informed decision-making.
The role of geopolitical tensions
Heightened geopolitical tensions can complicate the role of risk managers. However, Stewart argues that with the right data and inventory in place, managing these risks becomes more straightforward.
“As long as you have that inventory and you have the data to hand, everything just becomes significantly easier,” she says. “You have the data at your fingertips to understand what, ultimately, the impact will be on your company, and whether that impact will be felt globally, regionally, or at a business unit level.
“From there, you’re able to quickly identify action plans that you can put in place to reduce or mitigate that risk.”
The yin and yang of third party risk management and operational resilience
Charles Forde is currently the COO for the Global Markets and Investment Banking business of Nomura in the EU and Switzerland. Prior to joining Nomura, he was the Group Head of Operational Risk at Allied Irish Banks. He started his career managing technology and field operations for the United Nations, supporting military peacekeeping and humanitarian missions.
Third-party risk management focuses on identifying and managing risks related to the use of third party suppliers, partners, service providers, intra-group companies / affiliates and vendors who supply services or products.
As the business world has become more interconnected, companies have an increasing reliance on third parties to provide critical services, support business growth and to enable innovation and digital transformation.
Operational Resilience is defined as the ability of firms and the sector to: prevent, adapt, respond to, recover, and learn from operational disruptions. An operationally resilient system is one that can absorb shocks rather than compound them and is important for consumers, firms and financial markets.
Third Party Risk is also a critical element of Operational Resilience. While the numerous relationships and engagements with third parties may enhance and support the business and operational efficiency, they also introduce potential risks, including operational and financial instability, data breaches and regulatory non-compliance.
Current challenges with risk management for TPRM and operational resilience:
The processes and tools in the industry have not been adequate to effectively risk assess and manage the quality of services.
Challenges include:
• Manual, time consuming processes for risk assessment, often based on questionnaires on spreadsheets which are ineffective and have limited accuracy. The responses to questions are often stale once completed
• Siloed approach to assessment by different functions covering different risk domains.
• Limited scalability for increasing volumes of third party engagements
• Complexity of service delivery, often involving multiple “N-th” parties across multiple jurisdictions
• Limited ongoing and predictive monitoring of critical services and third parties
How can Generative AI be leveraged?
Generative AI can be a powerful tool for TPRM and Operational Resilience by assisting in several key areas:
A) Data Analysis and Prediction:
• Data Generation: create synthetic data for testing and validating systems without exposing real, sensitive information. This helps in ensuring the robustness of your risk management systems, training AI models and simulating different operational scenarios.
• Pattern Recognition: identify patterns and anomalies within large datasets to detect potential risks or irregularities in third-party behavior or transactions, including impacts across multiple risk domains. (A good example of the successful application of AI models has been with the ‘ION Group Ransomware deep-dive’).
B) Risk Assessment and Prediction:
• Risk Scoring Models & Predictive Analytics: develop risk scoring models by analyzing historical data transactions, and market trends. to predict potential risks. Patterns may be identified that indicate vulnerabilities or weaknesses in systems or processes.
• Scenario Generation: simulate potential risk scenarios which may impact resilience by generating hypothetical situations based on historical data. Scenarios can range from cyberattacks to supply chain disruptions, allowing organizations to proactively plan and prepare for such events.
C) Compliance and Monitoring:
• Automated Monitoring: continuously monitor and detect deviations from compliance and risk management protocols.
• Natural Language Processing (NLP): analyze contracts, communications, and legal documents for compliance issues, potential risks, or discrepancies.
D) Cybersecurity and Threat Detection:
• Anomaly Detection: identify anomalies in network traffic, system behavior, or user activity that could indicate potential cyber threats.
• Vulnerability Assessment: identifying and patching system vulnerabilities by analyzing patterns in historical data and proactively suggesting security measures.
E) Supply Chain Resilience:
• Predictive Analytics for Supply Chain: predict potential disruptions by analyzing various factors like weather patterns, geopolitical events, or supplier behavior.
• Alternative Planning: simulating alternative supply chain scenarios, enabling organizations to develop contingency plans for unforeseen disruptions.
F) Incident Response and Recovery:
• Real-Time Monitoring: of critical operations, enabling swift response to incidents.
• Automated Recovery Procedures: quickly identifying and rectifying issues, minimizing downtime and operational disruptions.
G) Decision Support and Continuity Planning:
• Decision-Making Support: analyzing multiple factors and historical data to suggest strategies for risk mitigation and maintaining operational continuity during disruptive events.
• Dynamic Response and Real-Time Decision Making: assist in real-time decision-making processes regarding third-party interactions, especially in scenarios where quick risk assessment and response are crucial. Adaptively respond to changing situations, adjusting operational strategies in real-time to ensure continuity.
H) Fraud Detection and Prevention:
• Anomaly Detection: identify anomalies or suspicious activities in transactions, flagging potential instances of fraud or misconduct.
• Behavioural Analysis: Analyse patterns to preemptively detect potential fraudulent activities before they escalate.
I) Training and Education:
• Simulations and Training: Develop simulation environments to train staff in handling various risk scenarios and enhancing their decision-making abilities.
• Educational Resources: create educational resources, training materials, playbooks and documentation for protocols and best practices.
However, when integrating generative AI into TPRM and Operational Resilience strategies it is crucial to consider ethical implications, ensuring the security and privacy of data, and conducting thorough testing to validate the AI-driven solutions before deployment. Collaboration among experts in TPRM, Resilience, AI, and industry-specific professionals is essential for effective implementation.
Potential risks introduced by AI:
Integrating AI into third-party suppliers and services can bring numerous benefits, but it also introduces several potential risks. The key risks to consider are:
Data Privacy and Security Risks:
1. Data Breaches: AI systems often require large amounts of data, which may include sensitive or proprietary information. If these systems are compromised, it could lead to data breaches and unauthorized access to confidential information.
2. Data Misuse: Third-party suppliers might misuse the data they collect, intentionally or unintentionally, leading to privacy violations or non-compliance with data protection regulations.
Operational Risks:
1. System Failures: AI systems are not infallible. A failure or malfunction in an AI system could disrupt the operations of third-party suppliers, leading to service interruptions or degraded performance.
2. Over-reliance on AI: Excessive dependence on AI systems can make suppliers vulnerable to unforeseen AI failures or inaccuracies, reducing human oversight and flexibility.
Ethical and Compliance Risks:
1. Bias and Discrimination: AI algorithms can perpetuate or amplify biases present in the training data, leading to unfair or discriminatory outcomes in supplier services.
2. Regulatory Compliance: Third-party suppliers must comply with various regulations and standards. The use of AI introduces complexities in ensuring compliance, particularly with evolving AI-specific regulations.
Cybersecurity Risks:
1. Vulnerabilities in AI Systems: Can introduce new attack vectors and vulnerabilities that cybercriminals can exploit. This can compromise the security of both the AI system and the broader IT infrastructure.
2. Adversarial Attacks: Can be susceptible to adversarial attacks where manipulated inputs are designed to deceive the AI, leading to incorrect or harmful decisions.
Strategic and Financial Risks:
1. Investment Risks: Investing heavily in AI technology can be financially risky if the solutions do not deliver the expected return on investment or if the technology becomes obsolete quickly.
2. Vendor Lock-in: Relying on a single AI provider can lead to vendor lock-in, reducing flexibility and increasing dependency on that provider’s stability and continued innovation.
Performance and Reliability Risks:
1. Accuracy and Reliability: AI systems may produce inaccurate or unreliable results if not properly trained, maintained, or updated. This can affect the quality and reliability of third-party services.
2. Scalability Issues: As demand grows, AI systems may face challenges in scaling effectively, potentially leading to performance bottlenecks.
Intellectual Property Risks:
1. IP Theft or Misuse: AI systems might inadvertently expose intellectual property or proprietary algorithms, risking theft or misuse by third parties.
2. IP Disputes: There can be disputes over the ownership of AI-generated outputs or the intellectual property embedded within AI models.
Transparency and Accountability Risks:
1. Lack of Transparency: AI systems can be complex and opaque, making it difficult to understand how decisions are made. This lack of transparency can hinder accountability and trust in third-party services.
2. Responsibility and Liability: Determining responsibility and liability for errors or harm caused by AI systems can be challenging, leading to legal and operational complications.
To mitigate these risks, organizations should: •
Integrating generative AI requires a multidisciplinary approach involving data scientists, risk management experts, legal advisors, and IT specialists to ensure effective implementation while addressing potential risks and ethical concerns.
TPRM CHALLENGES WITH CONFIDENCE
Master the art of fortifying your organization against tomorrow’s uncertainties, today.
November 12-13, 2024
Strengthening operational resilience - BCBS proposes principles for managing third-party risks in banking
This article is based on an interview with Rosalyn Aryee. Ros is an Executive Director at the Santander London branch where she heads up the TPRM & Outsourcing and Operational Resilience functions and is accountable for embedding a framework to meet both EU and UK regulatory expectations.
She is recognised as a thought leader on Operational Resilience and Third-Party Risk Management and has more than 20 years’ experience in defining and transforming governance frameworks to mitigate operational risks.
In response to the increasing reliance of banks on third-party service providers, the Basel Committee on Banking Supervision (BCBS) recently moved to introduce a comprehensive set of principles aimed at the sound management of the risks associated with those external relationships.
As a first step, the committee has issued a consultative document that seeks to address the growing digitization and rapid advancement of financial technology that has significantly increased banks’ dependence on external service providers.
Sweeping digital transformation over the past five years or more has led banks and other financial institutions to place greater reliance on outside partnerships in order to execute various functions.
On the one hand, this dependency serves to facilitate greater innovation and efficiency, but on the other introduces a spectrum of risks that need stringent management.
Recognizing this, legislators worldwide are taking steps to mitigate the risks stemming from banks’ reliance on third-party entities – something that was rendered more urgent by recent widespread IT disruptions that underscored the tangible nature of these third-party risks.
Elsewhere in this issue of iNFRont we take a closer look at what impact the European Union’s Digital and Operational Resilience Act (DORA) will have on third party risk management (TPRM) for those institutions doing business within the bloc.
Similarly, the United Kingdom has introduced a critical third-party (CTP) regime through the Financial Services and Markets Act 2023, Despite the shared objective of these legislative measures, the strategies employed to address third-party risks vary significantly.
Taken together, though, and in the context of the BCBS’s move to foster a more standardized approach, it’s clear that TPRM is becoming increasingly front of mind for those tasked with the global challenge of insulating the sector from potentially showstopping issues.
The BCBS released its Consultative Document on Principles for the Sound Management of Third-Party Risk early in July. It supersedes the 2005 Joint Forum paper on Outsourcing in Financial Services and complements the 2023 Financial Stability Board report on enhancing third-party risk management and oversight.
The document introduces twelve high-level principles designed to offer banks and supervisors a unified framework for managing third-party risks. These principles are divided into two main categories: principles 1 to 9 focus on guiding banks in managing third-party risks effectively, while principles 10 to 12 provide supervisory guidance.
Key areas addressed by these principles include the concept of the “third-party life cycle” and the management of supply chain and concentration risks.
Technology-Agnostic and flexible principles
The principles outlined by the BCBS are technology agnostic, ensuring their applicability across a broad spectrum of technologies, including artificial intelligence, machine learning, and blockchain.
They are also designed to be flexible, accommodating various risk management approaches employed by banks. Primarily aimed at large internationally active banks and their prudential supervisors, these principles are also beneficial for smaller banks, which can apply them proportionately based on their size, complexity, and risk profile.
Rosalyn Aryee, Head of Outsourcing & TPRM and Operational Resilience at Santander Corporate & Investment Banking, agrees that the complexity of the various multi-jurisdictional regulations makes adopting a standardized approach challenging.
“The key challenges that there are so many regulations that are being developed,” she says. “The EU AI act has been published. The UK has a consultation. So it is in train.
“The challenge is that you’re planning for something that you don’t know the end outcome and having to grapple with something whilst the regulations are not there. That notwithstanding, you need to look in terms of what is the regulator expecting. And again, it comes back to how can you protect your data.
“The overall aim is that to ensure the integrity of the outcomes, and to do that we need to ensure the data going into these AI models is accurate. So it comes down to how you protect that.
“Contracts almost underpin the whole third party management process, so it’s really vital to have an established management process for contracts. And what do I mean by that? Most people will sign a contract for five years, ten years, and it’s dusted there. We don’t look at it again.
“But actually, for effective governance, you should have a periodic review cycle and review the contract to say actually, are these terms appropriate in light of regulations? Are these terms appropriate in light of even organizational changes or business needs?”
In attempting to bring a more unified approach to TPRM, the committee says it is seeking to promote and support international cooperation and consistency, thereby reducing regulatory fragmentation and bolstering the operational resilience of the global banking system.
The initiative underscores the importance of a cohesive global approach to managing third-party risks, ensuring that banks can navigate the complexities of their digital ecosystems while maintaining robust risk management practices.
DORA the enforcer
– What do the
EU’s new regulations mean for the UK?
Gerard Doyle is currently Head of Third Party Management and Procurement at SMBC Group, joining the organization in February of this year. Prior to his appointment at SMBC he spent 12 years in various roles at Credit Suisse, culminating in more than 8 years as Chief Operating Officer and Head of Third Party, Operational Resilience and OCIR.
In an era marked by rapidly evolving financial technologies and increasing cyber threats, the European Union’s Digital Operational Resilience Act (DORA) represents a significant regulatory milestone.
Though the UK is no longer part of the EU, DORA’s implications for UK financial institutions are profound due to the interconnected nature of the global financial system. This article explores the impact of DORA on UK financial institutions, navigating the complex regulatory landscape that shapes this dynamic sector.
Understanding DORA
DORA aims to establish a robust framework for ensuring the operational resilience of digital financial services within the EU. The regulation mandates stringent requirements for risk management, incident reporting, and ICT third-party risk oversight. According to DORA, financial entities must “ensure that they can withstand, respond to, and recover from all types of ICT-related disruptions and threats” while maintaining continuous service and safeguarding data integrity.
Gerard Doyle, EMEA Head of Third Party Management at SMBC, says that DORA will serve to consign the traditional view of third party compliance as a boxticking exercise to history.
“I think DORA now demands broader risk management,” he says. “What management bodies and regulators want to hear now is how you manage the risk. What’s the so-what? What should I be worried about that extends beyond compliance? It becomes more multi-dimensional.
“The way you measure that needs to change and thought needs to be given to how that risk management is integrated into the organization. How do we create an opportunity to be able to apply proper appetite-setting risk framework tools to help make that transition from looking at a purely from a compliance perspective?”
Cross-Border regulatory impact
Despite Brexit, UK financial institutions cannot afford to disregard DORA. Many UK-based entities operate across Europe or have clients within the EU, necessitating compliance with EU regulations. This alignment is critical for maintaining market access and operational continuity.
Enhanced risk management and resilience
DORA’s emphasis on risk management aligns with the UK regulators’ focus on operational resilience. The Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) have been vocal about the need for firms to bolster their resilience against operational disruptions. By adopting DORA’s principles, UK financial institutions can enhance their risk management frameworks, leading to greater resilience against cyber threats and technological failures.
DORA’s guidelines on incident reporting and risk management aim to provide a comprehensive blueprint for organizations to refine existing practices, and pushes them to not only meet but exceed regulatory expectations.
Incident reporting and transparency
One of DORA’s key requirements is the obligation to report significant ICT-related incidents. This transparency fosters a culture of accountability and continuous improvement. UK financial institutions, by aligning with these standards, can enhance their incident response mechanisms and promote greater transparency within their operations.
Adopting DORA’s incident reporting standards ensures that UK financial organizations are not just compliant with EU regulations but can also respond swiftly and effectively to any disruptions. This level of preparedness can prove invaluable in maintaining trust with clients and stakeholders.
ICT third-party risk management
DORA’s provisions for ICT third-party risk management require financial institutions to scrutinize and manage risks associated with third-party service providers.
This aspect of the regulation is particularly relevant for UK firms, many of which rely on a global network of service providers, since by implementing DORA’s rigorous standards, UK institutions can mitigate risks associated with outsourcing and third-party dependencies.
Compliance challenges and opportunities
While DORA presents several benefits, it also poses compliance challenges for UK financial institutions.
Aligning with a comprehensive regulatory framework like DORA requires significant investment in technology, staff training, and process redesign, potentially increasing the compliance burden – especially for smaller firms.
However, other organizations may view this challenge as an opportunity for innovation and growth.
The path forward
Navigating the complexities of DORA in the post-Brexit regulatory environment necessitates a strategic and proactive approach. UK financial institutions must stay abreast of regulatory developments, engage with industry bodies, and collaborate with regulators to ensure compliance while maintaining operational efficiency.
“Adaptability is the key word here,” says Doyle. “We’ve seen Covid, we’ve seen the Ukraine conflict, the energy crisis. We can’t always predict what’s happening in the future, but the past isn’t always a great predictor of what’s going to happen in the future either.
“So I think supporting the functions that are doing the outsourcing is key to this. We need to identify from a risk and value perspective which are the suppliers that are critical to us and the business that we operate in, and then use that as a way of determining best practice.
“You can then cascade those learnings down to your other vendors, but I think you’ve you got to take a risk based approach initially.”
DORA also presents clear opportunities.
By proactively engaging with both UK and EU regulators, UK institutions can influence and adapt to the evolving regulatory landscape, ensuring they remain not only competitive and compliant, but directly influential.
As the financial sector continues to evolve in a complex regulatory environment, the ability of UK institutions to adapt to and embrace regulations like DORA will be a critical determinant of their success. By leveraging DORA’s principles, UK financial institutions can not only navigate the regulatory complexities but also position themselves as leaders in operational resilience and innovation.
Do we need to talk about sexual harassment in the workplace?
Heeral Gudka Principal Consultant and Founder at Convergent
With 10 years’ experience in EDI, Heeral's work has spanned private, public and third-sector organisations, delivering stand-alone workshops and also curating 6 to 12 month learning journeys. The support she provides to senior leadership teams is an essential part of the success they have created internally in building inclusive cultures –everyone needs a safe space to talk about difficult subjects, but they also need to understand where risks lie when it comes to workforces that don't understand minimum expectations.
Heeral is a former actuary and risk professional, and is trained to coach from a trauma-informed perspective. She has a diploma in counselling skills and a deep interest in philosophy and consistent thinking – the ideal blend of skills for providing this support to senior leaders.
The management of risk is etched into the fabric of financial institutions around the world.
Those risks are often primarily associated with financial exposure, but over time nonfinancial risks, such as ESG and DEI have emerged as key factor considerations in the risk management frameworks adopted by banks and other lenders.
There are now just three months to go before the new Worker Protection Act 2023 – an amendment to the 2010 Equality Act – becomes law, strengthening protections against sexual harassment in the workplace.
The act will require employers to take proactive “reasonable steps” to prevent sexual harassment, whilst also mandating them to ensure their workplace culture, policies, and best practices are inclusive of all team members, and that all staff understand that sexual harassment is unacceptable.
Why is this notable for risk professionals within the financial services sector?
Well, there’s the not insignificant matter of the financial penalties organizations face if they’re found to be in contravention of the Act, of course – the provisions of the legislation give employment tribunals the discretion to assess what is considered “reasonable” for each employer, and tribunals will also be able to increase compensation awards for sexual harassment by up to 25% if an employer breaches their duty.
But the implications of the new law go much further than the potential exposure organizations face in purely financial terms.
At worst, an absence of a comprehensive sexual harassment policy will also have potentially farreaching consequences for organizational culture, employee morale, and the institution’s reputation.
But perhaps the key issue that those in the financial services sector need to consider is how failing to be seen to be taking sexual harassment seriously can impact on the business of doing business.
There is now a large body of evidential research that shows many companies’ procurement processes in deciding strategic partnerships and investment strategies places a high degree of weight on potential partner organizations having demonstrable policies and processes around Environmental, Social and Governance (ESG) and Diversity, Equality and Inclusion (DEI).
It could be argued that the traditionally hierarchical structure prevalent in many financial firms can exacerbate power imbalances, making it challenging for victims to report harassment without fear of retaliation.
This environment risks undermining not only employee well-being, but also the institution’s credibility as a responsible corporate entity.
What does my organization need to do?
The Act becomes law in the UK on October 26 this year, giving those organizations that haven’t already done so a little under three months to ensure they have policies and processes in place that reflect the requirements of the law.
Key provisions of the Act include:
1. Definition and Awareness: The Act defines sexual harassment explicitly, raising awareness among employees and employers alike about what constitutes unacceptable behavior.
2. Preventive Measures: Financial institutions are required to implement preventive measures such as training programs and policies that promote a respectful workplace culture. These measures aim to educate employees about their rights and responsibilities while setting clear expectations for behavior.
3. Reporting Mechanisms: The Act ensures that institutions have robust reporting mechanisms in place, allowing victims to confidentially report incidents of harassment without fear of retaliation. This encourages a proactive approach to addressing complaints and preventing escalation.
4. Investigation and Accountability: When allegations arise, the Act mandates prompt and impartial investigations to determine the veracity of claims. This process holds perpetrators accountable while protecting the rights of both the accuser and the accused.
5. Legal Remedies: Employees who experience harassment have access to legal remedies under the Act, including compensation for damages incurred as a result of the harassment. This provision acts as a deterrent against misconduct and provides recourse for victims seeking justice.
What are the benefits to your organization of being seen to be compliant with the new legislation?
Although devising and then implementing policies and processes that specifically protect your employees from sexual harassment will take time and effort, there are nevertheless clear benefits for your organization’s risk management strategy in doing so.
Risk Mitigation - By adhering to the Act’s guidelines, institutions can mitigate the financial and reputational risks associated with sexual harassment claims. Not only is making redress to your member of staff potentially expensive, recruiting behind them if they leave is also a significant hit to your bottom line.
Enhanced Reputation - Institutions that prioritize employee welfare and uphold ethical standards are perceived more favorably by clients, investors, and the public, making them more likely to want to do business with you and potentially improving revenue streams.
Improved Employee Engagement - A respectful work environment fosters higher employee morale, productivity, and retention rates, contributing to longterm organizational success.
Better recruitment - We already know that companies and organizations that have visible, credible and established DEI and employee wellbeing policies are increasingly more attractive to the best candidates in the market. Sexual harassment is indelibly linked to DEI activity, and so being seen to be taking the WPA seriously will also reinforce your employer brand.
Challenges and Implementation
Despite its benefits, implementing the Worker Protection Act UK poses challenges for financial institutions. Compliance requires ongoing commitment from leadership, adequate resources for training and enforcement, and a cultural shift towards zero tolerance for harassment.
In the end, sexual harassment poses significant risks to financial institutions, affecting not only individuals but also organizational integrity and success. The Worker Protection Act UK serves as a critical tool in combating
these risks by establishing clear standards, promoting accountability, and safeguarding the well-being of all employees.
There are six main risk factors that underlie an organization’s overall exposure to the risk of sexual harassment incidents occurring, and once occurred, the risk of them not being dealt with effectively:
• Knowledge about sexual harassment and sexual harassment policies
• Experience of sexual harassment incidents
• Reporting of sexual harassment incidents
• Support for staff
• Satisfaction with management responses
• Capability of the HR Team to investigate incidents
By embracing the Act’s principles, your organization can not only create safer, more inclusive workplaces where employees thrive and the institution prospers, but also reinforce the institution’s commitment to ethical practices and societal responsibility, making it a more attractive option for would-be partners, employees, and investors.
To learn more about the Act and to find out how to understand your risk exposure, readers have exclusive access to three online explainer sessions. (spaces are limited to 40 people, one person per organisation only).
12pm - 1.30pm on 8th October - register here 2pm - 3.30pm on 8th October - register here 9am - 10.30am on 9th October - register here
AI IN FINANCIAL SERVICES: GLOBAL BENCHMARK STUDY
COMING SOON
DISCOVER THE FUTURE
How are today’s industry titans leveraging AI to revolutionize risk management?
AI UNVEILED
INVESTING IN AI
Explore the game-changing opportunities and hidden risks shaping tomorrow’s landscape.
Discover the top risk management priorities and what it takes to lead the charge!
AI & US
How will AI redefine jobs, human expertise, and governance for a new era?
Pre-order your copy of the report today here or visit: www.cefpro.com/ai-financial-services/#report
Managing interconnected risk in a technology-rich future
In an interview at the Risk Americas conference, Sabeena Ahmed Liconte, Head of Legal and Compliance at ICBC Standard Bank Group, shared her insights on managing the interconnectivity of risk categories and establishing a holistic view of risk.
With a diverse background spanning several prestigious organizations, including Merrill Lynch, E-Trade, and BNY Mellon, as well as experience in regulatory roles at FINRA and the New Jersey Attorney General’s Office, Sabeena brought a wealth of knowledge to the discussion.
As one of the four key participants in that panel discussion, what were 1 or 2 of the key interesting points that you walked away with given the number of questions that were raised by the audience?
There’s been a lot of noise in the industry around things like cybersecurity events. There’s also been a lot of technological failures and, concerns around vendor management. There are companies like Ion that provide critical services to the capital market space and provide a back office solution, but as a vendor, they’re not regulated. And that’s made it very difficult for the regulators to try to understand the exact impact on the industry.
So there’s a lot of concern around third party risk management. But we spent a lot of time talking about operational resilience and also what we mean by enterprise risk management.
For me personally, I think the regulatory environment seems to be moving towards more of an operational resilience model that takes into account a broad range of areas like cyber, TPRM, etc.
But I think what I found interesting was that no matter what model you use, it tends to be more inward focused. You’re looking at technology, you’re conducting critical risk assessments. You’re doing testing. It’s inward, while things like operational resilience tend to be more outward focused. How do you get online? How do you provide services? How do you stay operational?
It was also really interesting for me to hear panel members talk a lot about culture, the role of the board and how that was a key takeaway, because I think with the current regulatory focus, it’s not about an inward approach and finding the technological assets that ultimately can pose potential risks and trying to catalog those and conduct
testing of it. And it’s not just about making sure your service is available 24 hours and that you’re taking into account customer harm.
At the end of the day, it really comes down – and this is going to sound clichéd – to a culture of risk. A culture that’s risk conscious all the way down from the board level and not just having business constituents owning it.
Let’s move on to some of the tools and techniques that we use to leverage to facilitate real time monitoring and reporting, because there are a lot of interconnected risks. How do these tools contribute to a more holistic risk management approach within your organization and your experience?
There are so many different tools. It really depends on the risk area, because you have to do real time monitoring. I’ll focus on what what’s probably helpful just in terms of a model or a framework or a way to gather data.
It’s something that cuts across the entire organization. It’s things like the risk and control self-assessment (RCSA) but if you’re just talking in general about technology, I mean, we have so many. And to be honest with you, most of it is really through third party vendors. So we have everything from real time monitoring of transactions, there are things like due diligence that you’re conducting on customers. You’re doing things like a daily data processing of your client list against a watch list to make sure you’re not doing business with what I like to call shady actors and individuals.
But all of this ultimately comes down to testing on a periodic basis through a really well established RCSA program. Whether or not the control environment as a whole is functioning effectively, there are a lot of moving parts and a lot of technology.
Put it to you this way, just to tell you how difficult it is to answer that question. In my own organizations I support roughly around 1000 employees. Do you know how much technology we have? 2000 different systems. They outnumber our employees we have. And that also says something about potential vulnerabilities as well.
In an internationally diverse organization, how can you ensure that the risks that you manage are cohesive, and coordinated inside and outside of the United States?
In any organization, it’s really hard to not think within silos. But at the end of the day, you have to try to look at things from an enterprise wide perspective. In many ways it helps that we have a little bit more of an enterprise-wide philosophy, because part of that involves a catalog of important business services that cut across the entire organization.
We have global relationships with a lot of vendors that cut across jurisdictionally, so it’s trying to understand and map how are these services being translated in other jurisdictions and ensuring that you have a team that sits within this operational resilience. But it still needs to be owned by a cross-disciplinary team of individuals.
Sabeena Ahmed Liconte serves as Chief Compliance Officer, Americas to ICBC Standard Bank Group (“ICBC Standard”), including its SEC-registered broker-dealer, ICBC Standard Securities Inc., and its CFTCregistered introducing broker, ICBC Standard Resources (America) Inc.
Prior to joining ICBC Standard, Sabeena’s previous professional experience included serving as Deputy Chief Operating Officer and Chief Legal Officer to the US investment banking division of Bank of China International.
In the context of third party risk management, part of that is ensuring that you’re doing the appropriate vetting at all lifecycle stages of your relationship with the third party. That involves people who, for example, need to do the onboarding your front office, and who are engaging in some of the relationships. Then over time, you have finance and operations trying to operationalize things, making payments, legal and contractual representations, and so on.
What do you think the future of risk management looks like?
By its nature, the future is unknown, and none of us has a crystal ball. We don’t know what’s coming down the pipe. And when it comes to the ideal CRO, the person who has to sit in that seat can’t be an all knowing, omnipotent person. They have to surround themselves by a cabinet of individuals who are the subject matter experts that can help, advise and guide them.
The second thing is a person who’s also conscious. True knowledge isn’t knowing what you know. It’s also knowing that you don’t know everything that you do know. And I think it’s a person who walks into the role understanding that there’s going to be a little bit of ignorance. They’re not going to be able to understand and be a subject matter expert in every area.
For example, if I look at somebody like myself sitting in legal and compliance, I need to understand that I may not have the technological know-how but I can bring other people – computer and data specialists, computer scientists – onto my team to help me to produce, present and record and present the audit trail records and data to regulators.
If we’re using an AI system every time, the machine learns the audit trail and will recognize that assumptions have changed and will ensure it’s making the appropriate decisions that humans would make. Humans are easier to deal with. Machine learning is great, but you still have to know when something’s gone wrong. You need to have that knowledge and know how.
The importance of technology in an effective risk management program cannot be overstated. We are tech companies today, that’s both a curse and a blessing.
Banking AI - Safety, security, and ethical use
This article is based on an interview with Chris Smigielski. With more than 30 years of financial services industry experience, Chris has an in-depth knowledge of model risk management, model governance, model validation, financial model development, Asset Liability Management, and team development.
Chris is currently the Director of Model Risk Management at Arvest Bank and was previously Vice President, Director of Model Risk Management at TIAA Bank for five years.
In a panel session on the integration of AI in the banking sector at our Risk Americas event in New York City, risk industry leaders underscored the critical importance of robust governance frameworks to navigate the complexities of AI applications.
Held as part of a broader initiative to enhance AI governance in financial services, the session highlighted key challenges and strategies faced by banks aiming to harness AI’s potential while adhering to stringent regulatory standards.
Chris Smigielski, Model Risk Director at Arvest Bank, emphasized the necessity of implementing effective guardrails for AI.
“AI presents immense opportunities for innovation in banking,” he stated. “However, the highly regulated nature of our industry demands meticulous attention to safety, security, and ethical considerations.”
Transparency and explainability
Smigielski and other members of the panel stressed the importance of transparency and explainability in AI models, particularly in a field as regulated as banking. With AI’s capacity to process vast amounts of data and employ generative techniques, ensuring that decisions are clear and justifiable becomes paramount.
“Explainability and transparency are crucial,” Smigielski argues, noting that this is especially true “ in areas like fair lending where decisions must be comprehensible and defensible.”
Mitigating bias and ensuring fairness
Addressing concerns about bias in AI models, the panel outlined a variety of rigorous best practice validation processes employed by banks to identify and mitigate biases.
“Our validation program includes extensive testing for bias and fairness,” Smigielski explained. “By scrutinizing data quality and conducting bias tests, we aim to ensure that AI-driven decisions are fair and unbiased.”
Ethical compliance and risk management
The panel also delved into strategies for monitoring AI models over their lifecycle to uphold ethical standards and manage risks effectively.
In the discussion, panel members highlighted the role of performance monitoring and setting tolerances for model behavior, underlining the need for adaptability
of monitoring processes to accommodate the unique challenges posed by AI models.
Speaking after the panel discussion, Smigielski circled back to this point, noting: “This proactive approach helps us detect and address issues like model drift promptly.”
Balancing innovation with regulation
In navigating the tension between fostering innovation and complying with regulatory mandates, Smigielski emphasizes the need for a cautious approach.
“While AI offers transformative potential in banking, regulatory compliance remains non-negotiable,” he said. “By integrating stringent governance measures and ethical frameworks, banks can harness AI’s capabilities responsibly.”
Importance of AI literacy and professional exchange
There is also a significant factor to be considered in the role of AI literacy among banking professionals and the value of industry collaboration, with Smigielski making the case for the contribution events like Risk Americas can play in facilitating knowledge exchange and peer learning.
“AI literacy is essential for understanding the implications of AI applications and ensuring responsible use across the organization,” said Smigielski.
Looking ahead, Smigielski expressed optimism about AI’s role in enhancing fraud detection, operational risk management, and customer service within financial services.
“AI’s potential is vast,” he said. “As we continue to refine our governance frameworks and embrace technological advancements, we anticipate significant strides in leveraging AI for the benefit of customers and stakeholders.”
The panel session underscored a collective commitment within the banking industry to harness AI responsibly, emphasizing transparency, fairness, and rigorous governance as foundational principles. As banks navigate the evolving landscape of AI technologies, robust frameworks for ethical compliance and risk management are poised to shape the future of financial services.
For more insights into the governance of AI in banking and ongoing developments, professionals and stakeholders are encouraged to stay engaged with industry dialogues and initiatives like Risk Americas that are aimed at fostering responsible AI integration.
EXPLORE THE FUTURE OF FINANCIAL SERVICES
JOIN YOUR COMMUNITY AND START INNOVATING
Get ready for AI Week, an immersive virtual experience dedicated to exploring the cutting-edge advancements of AI in financial services. Expect a 360-examination as we delve into the impact of AI from multiple perspectives and discover how different departments within financial services are being reshaped by this transformative technology.
Stay Updated and Follow Along Online
Virtual Events
Across 3 dynamic virtual events, join reputable industry experts and innovators as they delve into discussions on generative AI, leveraging AI to tackle anti-money laundering, and the implementation of AI to the new enterprise environment
Head over to our LinkedIn page for AI Week to stay updated with all the latest content, insights, and engage with thought leaders Visit our website
Industry Intelligence
As the financial services landscape undergoes a seismic shift propelled by artificial intelligence, it’s crucial to stay ahead of the curve. As we prepare to launch our anticipated AI benchmarking report, get exclusive access to an early insight into key findings from our industry research.
Event Countdown
The countdown is on to join your community in person and unlock invaluable insights from industry leaders at the forefront of AI innovation. Engage with our speakers, receive exclusive offers, and start networking with industry revolutionaries.
The evolution of fraud risks and prevention tactics in the age of AI
This article is based on an interview with Tibor Bartels, who heads-up the ING Transaction Services department for the Americas region. He is responsible for Payments and Cash Management solutions, Liquidity Management, Working Capital optimization and Traditional Trade solutions.
Currently he leads a team of product specialists that have in-depth discussions with America’s based multinationals on how to improve their daily banking set-up.
Tibor has been with ING for over 16 years and started his career as a trainee and worked in various departments of the bank. He is a considered to be a specialist for treasury optimization and market trends in Europe and has been regularly been interviewed by sector magazines.
In the rapidly evolving landscape of fraud prevention, one of the most pivotal advancements of recent years has been the integration of artificial intelligence (AI).
There’s no doubt that the emergence of AI and machine learning in all its forms has presented the financial services sector with a broad horizon of solutions, tools and systems that leave it better able to identify, mitigate, manage and contain risks of all types.
As a result, banks and other providers of financial services have been able to streamline their processes and practices, making them leaner, more dynamic, and – hopefully – more profitable.
But those opportunities also come with challenges in combating fraudulent activities worldwide. So, how do we harness all the benefits of AI, filter out its shortcomings as far as we possibly can, and chart a course forward in an increasingly digital and interconnected world?
So, if AI is both a catalyst for efficiency and a potential instrument for fraud, how do organizations embrace AI to enhance operations such as Know Your Customer (KYC) protocols, client onboarding, lending assessments, and personalized marketing?
AI-powered customer support systems have become commonplace, demonstrating the technology’s broad application in improving user experience and operational efficiency.
However, alongside these advancements comes a growing concern: the misuse of AI by malicious actors. A notable recent example involved AI-generated virtual personas used to orchestrate fraudulent activities, such as mimicking a CFO in a fabricated board meeting to siphon funds illegally.
Such instances highlight the urgent need for regulated AI deployment to mitigate emerging risks effectively. Tibor Bartels, Managing Director and Head of Transaction Services at ING in Rye, New York, says that shared experience may count for a lot in an environment where received wisdom on managing fraud risk changes depending on its context.
“I think the greatest risk that will occupy the industry over the next two years is how information and data is used and misused,” he says. “How do we use that information to protect ourselves, to make sure that every outgoing payment flows is secure, is authorized, are within our policy?
“And then, unfortunately, we’ll also see parties with criminal intentions that will use the same logic to trigger or influence payments to their benefit.”
He added: “If I would have to translate it into one word, I would say perspective. We need a different perspective because it’s one topic, but depending on the context of your organization, everybody has a different view, has a different challenge around it.”
The changing landscape of fraud detection
AI’s proficiency in handling vast datasets and automating complex tasks offers substantial benefits in fraud detection and prevention. Yet, it also amplifies the scale and sophistication of fraudulent activities.
To counteract these threats, organizations are urged to implement rigorous safeguards. These include advanced AI-driven authentication systems, stringent identity verification protocols, and continuous monitoring of transactional patterns to detect anomalies promptly.
But the financial services sector is challenged by the evolving nature of fraud in the digital age. Fraudsters adeptly exploit vulnerabilities in digital systems to steal sensitive information, manipulate transactions, and falsify documentation.
The challenge lies not only in preventing these incidents but also in adapting strategies to outpace evolving tactics employed by malicious entities.
This, Bartels says, is one of the primary issues that is keeping financial services treasurers and customers alike awake at night, saying: “When we talk to treasurers and to our customers, a key issue for them is how we prevent fraud in an age when processes are getting quicker, more data is publicly available.
“How do we analyze the data to make sure that we prevent fraud from happening in the first place? What does the bank do? How does the bank invest? And what can the customer do to support that?”
Harnessing AI advances for defense
Looking ahead, AI is poised to become an even more formidable defense mechanism against fraud. Innovations in pattern recognition and anomaly detection promise to enhance the accuracy and speed of fraud identification.
Automated systems capable of flagging suspicious activities in real-time are becoming increasingly sophisticated, empowering organizations to respond swiftly and decisively to potential threats.
In the short term, AI’s role in fraud prevention is expected to expand further, driven by advancements in machine learning algorithms and data analytics. These technologies enable organizations to leverage predictive models and behavioral analytics to preemptively mitigate risks, thereby safeguarding financial transactions and sensitive data more effectively.
Balancing risks and opportunities
Despite its promise, AI presents inherent risks, primarily stemming from the abundance of data it processes. The vast reserves of information, if inadequately protected, can serve as a breeding ground for fraudulent activities.
However, with proactive measures and investments in robust cybersecurity frameworks, organizations can harness AI’s potential to fortify their defenses and thwart malicious intent.
The industry’s future resilience hinges on its ability to harness data responsibly while bolstering collaborative efforts across sectors.
This article was based on an interview with Kevin Newe, Assistant Director and the Illicit Finance Threats lead at His Majesty’s Revenue & Customs. He has worked for HMRC in a variety of risk prevention roles since 2006. Prior to that, Kevin worked within the policy development team at the Serious Organised Crime Agency
Emerging technologies and financial crime – The tax perspective
The rapid advancement of technology has revolutionized the financial landscape, providing unprecedented convenience and financial inclusion. However, with these benefits come significant risks, particularly in the realm of financial crime.
The double-edged sword of technology
Technology has transformed how people interact with the financial system both domestically and internationally. From transferring money via mobile phones to making payments with Apple Pay, financial transactions have never been more accessible.
This democratization of financial services has allowed more people to engage with the financial system, which is a positive development.
However, according to Kevin Newe, Illicit Finance Threats lead at His Majesty’s Revenue & Customs in the UK, this increased accessibility also presents new opportunities for criminals.
The ease of setting up fraud schemes, such as email compromises and phone scams, has, he says, led to a rise in mass-market fraud.
Social media exploitation and the influence of unregulated financial schemes have also become significant concerns, yet in a fast-moving digital world, and despite regulatory and legislative efforts, new risks continue to emerge as old ones are addressed.
“Every time we bear down on a risk, whether that’s traditional or technology enabled or not, inevitably somewhere else a new risk manifests,” says Newe.
“I think we have to be conscious that regulation and legislation can only take you so far, but that really we need those kinds of platforms and those providers to be acutely aware of how they are being exploited and to ideally bear down on the problem as much as possible themselves, because obviously it has consequences for their reputation and their bottom line at the end of the day.”
Collaborative efforts and technological solutions
Newe believes that addressing the risks associated with emerging technologies requires a collaborative approach. HMRC, he says, recognizes that government and law enforcement agencies alone cannot manage the vast amount of data available.
He believes that partnering with third-party providers and leveraging their expertise in data integration and analysis is crucial.
“How do we become more dynamic? How do we become more forward leaning and use that data and that capability much more effectively than we have done in the past?
“Yes, there is a risk in technology, but it does also present significant opportunities, and we’re really proud to be working with a number of third party providers to really tackle numerous risks and ideally try to design solutions that pre-emptively address those issues before they impact the financial system.”
Technological advancements can also mitigate risks. By collaborating with innovative third-party providers, HMRC aims to. This proactive approach is essential in the face of rapidly evolving threats.
Public-Private partnerships and international cooperation
The UK has been at the forefront of efforts to foster public-private partnerships to combat financial crime.
Initiatives like the Joint Money Laundering Intelligence Task Force, established in 2015, exemplify dynamic and systematic collaboration between the public and private sectors, and these partnerships have proven valuable in mitigating risks and recovering revenue for public services.
But Newe says effective financial crime mitigation requires international cooperation. Many financial crimes, such as tax evasion and human trafficking, have global dimensions, and as a result, he says, HMRC is actively engaging with key jurisdictions, including the Netherlands, the United States, Canada, and Australia, through the Joint Chiefs of Global Tax Enforcement.
These collaborations facilitate extensive data sharing and enhance the ability to tackle financial crime on a global scale.
Addressing economic instability and Its impact on financial crime
Economic instability, exacerbated by events such as Brexit, the conflict in Ukraine, and the energy crisis, is inextricably linked to an increase in financial crime, and particularly tax evasion, avoidance, or ‘management’.
This poses a unique challenge to HMRC, with Newe observing: “Where there is a serious organized crime element we need to respond robustly and effectively as we can and make sure that the front door, so to speak, is as secure as it can be.
“But on an individual level, we need to be pragmatic in trying to understand the motivations for people perhaps being non-compliant. There was, and there still is, for some people, a cost of living crisis. Being really heavy handed is really not beneficial to anyone.”
Internationally, HMRC recognizes the burgeoning threat of hostile state-enabled fraud. Addressing this requires robust compliance processes and global collaboration through forums like the Financial Action Task Force (FATF).
Navigating the complex regulatory landscape
The regulatory environment around financial crime is complex and constantly evolving. Balancing the need for compliance with practical implementation is a significant challenge for both HMRC and financial institutions, says Newe.
“How do we know what’s a priority if everything is a priority?” It’s a question that Newe says is very front of mind in the compliance conversation.
“You should know your risks and then respond accordingly,” he says. “But at the same time, we’re hearing from law enforcement that modern slavery, human trafficking, small boats are a big priority. Tax evasion remains an ongoing priority. Fraud is a priority. And so the level of compliance resource can only do so much.
“I’m not necessarily worried about new regulation. I think what we’re looking to do really is reduce some of that noise effectively.”
Enhancing communication and collaboration
Effective communication between HMRC and the private sector is vital for successful financial crime compliance, according to Newe.
“I think what’s reassuring to the private sector, and this is a thread that’s been developing over a number of years, is that the nature of the public-private relationship is changing from one that has traditionally had the private sector at arm’s length to one that has a much greater sense of shared mission,” he says.
“And that can only be a good thing.”
Unlock the secrets to
crime prevention and empower yourself to outsmart the mastermind bad actors
FINANCIAL CRIME & TECHNOLOGY EUROPE
7th Annual November 5-6, 2024
London
www.cefpro.events/fceu
Combat financial crime and enhance your institution’s prevention techniques through technology and innovation
Advance your knowledge through the insight of 25+ industry leaders offering case studies and critical insights on:
• Leveraging technology to detect sanctions evasion
• Navigate the new regulatory landscape of AML
• Understand potential use cases of AI for crime mitigation
• Address identity theft challenges
• Companies House reforms
Managing liquidity risk in today’s banking environment
This article is based on an interview with Ian Broff, VP and Head of Bank Financial Risk at USAA Federal Savings Bank in Texas. Ian is an experienced risk management professional with extensive skills in credit fundamental analysis, quantitative analysis and modeling, and macro-economic research.
Sector specializations include Banking, Global Insurance, Mortgage and Specialty Finance, REITs, Dealer Finance and Equipment Leasing. Ian is currently engaged in Asset/Liability Management, Market Risk, Liquidity Risk, Counterparty Risk USAA, focused on serving the military and their families.
Such was the extent of stability within the global financial markets prior to the Covid pandemic that there is now a whole generation of experienced market risk analysts and professionals who have, until now, never experienced volatility of the like see today.
It’s now 16 years since the financial crisis of 2008 sent the global financial markets into a tailspin, and set off a chain reaction of rising interest rates, high inflation and a long era of economic and risk-averse austerity.
Yet for around a decade or more, the financial waters have been almost millpond-esque – barely a ripple to be seen, bank rates at an all-time low, and the financial climate resolutely temperate, regardless of what might be thrown at it.
The pandemic changed that, and once that domino fell, so too did others: a fractious exit from Europe for the UK, political uncertainty on both sides of the Atlantic, the war in Ukraine and the global the energy crisis it spawned.
There remain, of course, veteran war horses who rode into the risk management battles of 2008 and beyond. But their number is dwarfed by those for whom all of this recent uncertainty is new and challenging.
So, what are the factors that will define future market and liquidity risk? What are the priorities? Where should the focus be?
Current popular opinion
There is a prevailing view that in spite of the challenges the current economic climate presents, an active management approach can yield substantial rewards. However, to succeed, risk management processes must align closely with investment strategies.
Wider reading on this subject also suggests that asset managers need to focus on specific risk assessments and that while top-down analysis remains important, bottom-up risk assessment is particularly relevant for identifying issuer-specific risks.
Inevitably in volatile environments there are more variables at play, meaning that even where there is greater opportunity for profit, there’s also a higher risk of losses. In this sense, understanding market dynamics becomes crucial.
Further, the pandemic disrupted historical data inputs, impacting model predictability. Investment and risk managers now need to pay closer attention to their models and adjust for changing patterns.
Liquidity risk management – what are the priorities?
A significant focus in market and liquidity risk is on the primary funding source: deposits. By drilling down into segment-level data, risk management teams can understand the varying behaviors across different funding bases.
Lower balance tiers, often less affluent, exhibit different behaviors compared to higher tiers, which are more rate-sensitive and susceptible to spending pattern fluctuations. Inflation impacts the lower end more, whereas the higher tiers display greater sensitivity to interest rate changes.
Key metrics for assessing funding strength
Ian Broff, VP and Head of Bank Financial Risk at USAA Federal Savings Bank in Texas, argues there are two key metrics that risk teams should consider when assessing the potential exposure.
First, the organization’s liquidity coverage ratio (LCR), which identifies the proportion of highly liquid assets it must hold in order to meet its short term financial obligations in the event of market disruption.
The second metric is any liquidity stress testing that’s been undertaken, which will model the impact of specific scenarios.
“Essentially, we’re looking at all the different contingent levers that we have,” says Broff. “We try to run assessments of what we think those levers will do under different market conditions. For us, one of the biggest ones is anything tied to our investment portfolio, which is quite large.”
Those different scenarios might include anything from a comparison between a rising rate versus falling rate type scenario to what extreme stress might be at the discount window.
These tests involve creating customized scenarios to stress specific concentrations of risk and funding under abnormal conditions, providing a comprehensive view of potential vulnerabilities.
Other tools, says Broff, might be regular monitoring of Certificate of Deposit (CD) pricing, balance performance, unsecured funding volumes, and credit spreads to provide insights into the external environment and its implications for raising funds.
Collaboration with other departments
According to Broff, effective liquidity management requires close collaboration between the market risk team and other departments, such as Treasury and Finance.
Regular joint exercises, such as annual reviews and calibrations of liquidity stress test scenarios and contingency funding plans, can then be conducted, and these exercises create challenging and relevant scenarios that reflect current market conditions.
Additionally, says Broff, monthly monitoring of liquidity stress test results and weekly meetings to discuss deposit flows and pricing further enhance collaboration, allowing for timely identification and escalation of material changes to risk management committees.
Challenges and lessons from recent banking crises
Banking crises, such as those involving Silicon Valley Bank (SVB) and Signature Bank, have heightened awareness of funding and liquidity risks.
Increased regulatory expectations necessitate more frequent and detailed stress testing, including lower probability but higher impact scenarios, and the pace of liquidity stress emergence has accelerated, requiring banks to have contingency plans that can be executed swiftly.
Broff says: “I think we’re learning that there’s an interplay very much between liquidity stress testing and how it impacts the ALM management process. And what this has taught us is that because of what the outflow means on your liability, it effectively shortens your duration significantly.”
“What that means is that you’re going to have liabilities that reprice a lot quicker than you thought they were going to under stress conditions,” he adds. “What we learned was that under stressed conditions, most institutions are going to have more liability sensitivity than they thought they would.”
Future Challenges
Looking ahead, Broff expects the banking sector to face ongoing challenges. The systemic nature of banking, he says, means it’s interconnected with every industry, making it susceptible to broader economic issues. A significant concern here is the exposure to commercial real estate (CRE), particularly given the current strains in this sector.
Additionally, weakened sectors such as retail, hospitality, and office spaces are underperforming, exacerbated by the COVID-19 pandemic. As a large volume of CRE debt maturities approaches, banks with significant exposures may struggle with nonperforming assets and capital adequacy.
Great minds think alike, but brilliant minds think differently.
Join a community of industry leaders and the new generation of talent shaping the future of risk management.
For our global audience, Connect means access to exclusive, collaborative, high quality risk management insights and discussions, no matter where you are:
• Watch, listen, and read your way through our extensive library of resources
• Access exclusive interviews, presentations, thought-pieces, industry intelligence, and more
• Discuss the most talked about trending topics and share your perspective
• Collaborate with like-minded professionals and build new relationships Embark on an exciting journey of discovery. Start exploring Connect today.
