KEEPING PACE WITH EVOLVING THREATS
Navigating a shifting risk landscape
CYBERSECURITY
Staying ahead of the hackers
CLIMATE RISK
Setting the corporate tone
The key NFR trends of 2022
RISK AMERICAS
Getting back to business
INDUSTRY VIEWPOINT
By Sabeena Liconte, Bank of China International (USA) Holdings Inc.
By Jacob Kosoff, Regions Bank & Bradley Mirkin, Berkeley Research Group
Michael Sparks, BNY Mellon
LEAD FROM THE FRONT TO MITIGATE CLIMATE RISK
By Frank Morisano,ICBC
INDUSTRY INSIGHT THE KEY NON-FINANCIAL RISK TRENDS OF 2022
By Alice Kelly, CeFPro 12
FINTECH FOCUS WHY FIRMS MUST EMBRACE FINTECH TO REMAIN COMPETITIVE
We welcome contributions. If you or your organization are interested in featuring in our next issue, please contact editor@cefpro.com
ADVERTISING & BUSINESS DEVELOPMENT
If you are interested in sponsorship and advertising opportunities, please contact: sales@cefpro.com
LEVERAGING TECHNOLOGY TO KEEP AHEAD OF THE AML CURVE By
Becky Schauer Robertson,Atlantic Union Bank
19 ADVERTORIAL REVISITING FUNDS TRANSFER PRICING POST-LIBOR By Empyrean Solutions
20 Q&A
22
23
MEETING NEW REQUIREMENTS FOR THIRD-PARTY MANAGEMENT By Sean Titley, Metro Bank (UK)
MEMBERSHIP MATTERS ADVANCE YOUR LEARNING WITH CEFPRO’S FREE MEMBERS’ HUB
TALKING HEADS GREATEST THREATS TO VENDOR AND THIRD-PARTY RISK
By Seth Giovanetti, Oportun 16 EVENT PREVIEW: RISK AMERICAS COUNTDOWN TO AMERICA’S PREMIER FINANCIAL RISK AND INNOVATION CONVENTION
As the financial services community navigates non-financial risk (NFR) amid a pandemic, we are consistently confronted by new challenges while simultaneously tasked with mitigating older and familiar hurdles that continue to plague us. The themes explored in this edition of iNFRont magazine represent a cross-section of these issues. Whether novel (like conduct and culture risk in the post-pandemic landscape) or familiar (like cybersecurity, technological innovation, or third-party risk), a common thread exists; disruption and change are regular features of today’s markets. Thus, the need to anticipate change and proactively predict and respond to it are important hallmarks of our survival and success.
This edition spearheads dialogue on critical NFR-related concepts linked to our survival and success. Threats like the weaponization of fintech and our susceptibility to cybercrime are underscored. There is, concurrently, an implicit recognition that technology must be leveraged to thwart competition. The use of technology in combating money laundering; managing conduct risk; and developing metrics, targets, and disclosure protocols for sustainability and other forms of NFR are important themes about which we must be cognizant.
In the future, we shall look back on this time and recognize the pivotal role we collectively played in guiding our industry to its survival and success against unprecedented change and disruption. To this end, we are akin to being the historians of our time. More critically, iNFRont offers us a vital platform for the exchange of ideas and a medium for fellow ‘historians’ to engage in meaningful dialogue, chart our future path, and, ultimately, better control the trajectory of our evolution.
We truly hope you enjoy this issue of iNFRont and find the perspectives shared by the industry thought leaders to be invaluable as you, too, embrace the changes of our time and strive to do your part in charting our next normal.
Oskar Rogg MD,
Headof Treasury, Americas Credit Agricole CIB
Angela Johnson de Wet Head of Risk for IT Change and New Technologies Lloyds Banking Group
HEAD OF CONTENT & EVENT PRODUCTION
To participate in our research and forthcoming conferences, please contact Alice Kelly: alice.kelly@cefpro.com
MARKETING INQUIRIES
To discuss media and marketing collaborations or to join us at our conferences, please contact Amy Greene: amy.greene@cefpro.com
PUBLISHER
Andreas Simou andreas.simou@cefpro.com
MANAGING EDITOR Kate O’Reilly kate.oreilly@cefpro.com
HEAD OF DESIGN Natasha Marino www.cefpro.com
Alpa Inamdar Transformation Leader AIG
Bradley Mirkin Managing Director Berkeley Research Group
Jacob Kosoff Head of Model Risk Management and Validation Regions Bank
To mark the launch of our 4th Annual Fintech Leaders Report (download your copy here), CeFPro hosted a one-day virtual forum to review the report’s key findings with industry experts. One session focused on the highest rated risk of 2022 – cybersecurity – and investigated the opportunities, investment priorities, benefits, and challenges for fintechs and banks. Here, we present an overview of the discussion and some of the key takeaways from our panel of experts, with quotes from Bradley Mirkin and Jacob Kosoff…
Legacy systems will always be critical; there is no patch for the obsolete.
As technology, inclusive of fintech, continues to be effectively weaponized by attackers, the industry is seeing increasing examples of breaches. Many stem from legacy technology, as seen with the Solar Winds attack where, after rapid acquisition and growth, the software was weaponized through a digital certificate that remained from an old system.
An increased reliance on and use of cloud service providers and technology does little to diminish this risk; responsibility is shared, and a breach can still occur at any time. The shift to homeworking has also enhanced the security challenge, not just as a direct impact of the pandemic but also because of vulnerabilities that have been exposed as a result of home network security issues.
Over 80% of cyber breaches are caused by people, meaning that training is so important. It goes beyond the technical aspects of cybersecurity – it’s also about looking at the training aspects, the education of your people, and the education of consumers.
The panel identified staff training as a key investment opportunity for 2022. With tactics such as deep fakes and ransomware continuing to evolve, organizations are investing more in their people as opposed to layering additional tools and solutions. As the threat landscape escalates and advances, agility of organizations and their staff is critical, as is training staff to identify risks. But with much of the workforce operating remotely from home, training and enhancing control environments are now both more challenging and more necessary.
As organizations move from a single controlled environment to being dispersed across the country, the risks are two-fold: weaknesses in home networks combined with difficulties in monitoring staff and hardware means increased compromise to the organization. More employees have access to more systems, with heightened access privileges, making AI models less accurate and highlighting a need for reprogramming to better reflect the current risk environment. Staffing again becomes of paramount importance to ensure teams understand the shift in patterns and how to manage this. Investing in staff that use AI solutions and identifying potential pitfalls when external factors change and the models are no longer predictive in nature, are therefore crucial.
Due to the rapid acceleration in digital services and online offerings, security roles have changed significantly and require constant upskilling and training if companies are to stay ahead. The focus for 2022 has shifted away from buying new tools towards effectively managing the ones already in place. Ensuring IT is monitored and reviewed on an ongoing basis and understanding how all aspects are intertwined are critical if firms are to appreciate the various ways risk can be brought into the organization.
With so many working from home, the fact that criminals can access home networks so easily means that organizations’ security is jeopardized.
One of the major areas raised by the panel as a continued challenge for 2022 is the evolution of deepfakes and their increasingly sophisticated techniques. As attackers continue to advance in their approaches, deepfakes have become a much larger security problem. Many security protocols rely on detection of anomalies or mistakes; however, technology is advancing to avoid anomalies, with deepfake voices increasingly fooling both employees and AI systems.
Organizations should be deploying staff to monitor more extraordinary requests and validate effectively up to CEO level. Those monitoring for potential breaches must also be comfortable validating anything extraordinary originating from inside the company, including senior C-suite figures.
One such example was seen in early 2020, when a Hong Kong bank transferred $35m after a ‘company director’ authorized the transfer to a bank manager via a telephone call – the fraudsters had leveraged deep voice technology and cloned the director’s voice. Contingency plans must therefore be in place to empower employees to contact key personnel directly to verify transactions, without fear of recrimination from more senior figures.
We’ve seen a lot of investment in staffing to ensure that firms buying varieties of AI solutions to help with preventing fraud and cyber incursions are using them to the best of their ability... Otherwise, it’s like buying a Ferrari and only using first gear.
Finally, the panel discussed increased debate in the modeling and IT space around how successfully tools are distinguishing between genuine and fraudulent customers. With the cyber risk landscape continuing to evolve at a rapid pace and against a backdrop of constant volatility and external changes, models and tools require frequent intervention. Enhancing current tools and understanding their performance therefore seem to be of increased importance for 2022.
There is a heightened focus on quantifying the performance of each tool and reviewing false flags to fine-tune and optimize efficiency. Models need constant review and validation, with internal controls being followed and a continuation of internal education being prioritized. It remains vital to educate staff at all levels to ensure that investments are understood, and that any existing infrastructure is complemented, so that tools can be effectively managed and tailored to an organization’s needs. Technology is advancing from both fraudsters and internal defenses – as each side continues to further its education, comprehensive understanding by those managing the risk is required.
Training and internal controls are important. It’s not just about finding a better tool or a better incorporation, it’s about having the workforce respond and use the tech effectively.
Cybersecurity consistently attracted 50% or more of the votes in our Fintech Leaders survey as both an obstacle and an investment opportunity. This was unsurprising to our expert panel who discussed whether the sharp rise in cyber risk challenges is as a direct result of the pandemic, or because the pandemic has prompted an acceleration in digital activities.
CeFPro’s Fintech Leaders is one of the most comprehensive, industry-led analyses on the status and direction of technology in financial services, advised by nearly 2,000 industry professionals and our expert panel of 60+ Advisory Board members.
The remote working environment has brought new challenges for firms in relation to the management of conduct risk. Behavioral indicators (red flags) can be more easily identified through in-person interactions and may even be missed altogether in a remote setting. While many of these in-person interactions in a traditional office setting may be informal or fleeting, they can still be telling for managers and supervisors. This type of oversight is not easy to replicate when working remotely.
However, only time will tell how big an impact the pandemic has had on the effective management of conduct risk. In the past, conduct issues have tended to be somewhat persistent before fully emerging. Firms have been quick to recognise this challenge and have taken steps to reassess and/or further enhance other risk mitigants, particularly surveillance of e-communications. As managers get to grips with the future working landscape, including new technologies, and as different patterns of working emerge to better replicate some of the benefits of being co-located with colleagues, I expect to see new and improved ways for staff to stay connected. This may address some of the oversight deficit that remote working has brought.
As a follow-up to our Risk Focus article in issue 1 (p6, The Changing Face of Culture and Conduct Risk) BNY Mellon’s Michael Sparks outlines his views on how the pandemic has impacted conduct risk and fundamentally shifted corporate culture.
I would also expect standards for ‘adequate’ working from home arrangements to emerge. Some of these were already in place pre-pandemic but the recent rise in home working has prompted a need for increased focus on ‘workplace’ health and safety, wherever that workplace may be. In general, firms have been quick to respond in terms of rolling out assessments and procurement processes to cover the adequacy of equipment and technology to support their employees’ health, wellbeing, and productivity whilst working remotely.
In terms of operational resiliency, the pandemic has forced companies to expand and/or stress test their ability to work remotely. This has been one major
The remote working environment has brought new challenges for firms in relation to the management of conduct risk. Behavioral indicators (red flags) can be more easily identified through in-person interactions and may even be missed altogether in a remote setting.
upside for resiliency risk managers who, even in their wildest dreams, could not have envisaged being able to test remote working arrangements on this scale prior to March 2020. As a result, the financial services industry is now substantially more resilient to localized weather issues, utility outages, and other events that can disrupt access to premises.
However, the future working landscape does bring with it some new challenges. It is likely that firms will reduce their real estate footprint over time and review the need for dedicated seats at an alternative site for contingency purposes. This may pose a challenge if they are faced with widespread utility outages that impact their at-home employees. If a firm has a significant number of staff working remotely on an ongoing basis, then the natural contingency will be to bring people back into the office. This may prove difficult if there is insufficient capacity to accommodate 100% of staff at the resized office; if a severe weather event has also impacted transport infrastructure; or if employees are working remotely on a permanent basis from a location far from an office.
As a result, we will likely see resiliency measures for critical staff evolving to include redundancy in their homes for telecoms and power. Some firms have already arranged for generators to be installed at their employees’ homes for this purpose – as battery technology improves, this may become more prevalent.
Regarding progression opportunities, there is also a risk of less technologically engaged employees being left behind. The future state model is not yet fully developed, and our ways of working will need to adapt to try and manage for this potential outcome. We have only just started this journey and so far, have taken largely existing legacy management practices and simply moved them to a remote environment, replacing in-person interactions with video conferencing and instant messaging. We will all need to respond and adapt over time, and the evolution of work will likely catalyze academia to develop new management practices. I feel that time spent interacting with colleagues in person will continue to be important, but we clearly need to
find ways to be less reliant on this when developing our future talent.
When we consider the impact of the pandemic on company culture, it is worth defining what we mean by ‘culture’: culture is how a firm’s values manifest themselves through the behaviors of its employees. Behaviors tend to be habitual, so it takes time for culture to materially shift; I don’t think we’re far enough down the road yet to have seen a material shift postpandemic. However, it is certainly on the way, driven by some major societal moments that have led to a very broad reassessment of values in both our companies and our communities.
First, the pandemic has prompted firms to become much more focused on their employees’ health and wellbeing, particularly their mental health and work-life balance. The importance now being placed on this topic at the most senior levels in organizations will shift behaviors and affect decision-making over time. I believe the pandemic will also promote flexibility, empowerment, and personal responsibility to become
prominent features in the culture of those firms where remote working is particularly pervasive.
Second, and not related to the pandemic, 2020 and 2021 saw significant levels of public discourse on our collective values regarding climate change and systemic racism in developed economies. The outcome of this is that, in the main, firms have stepped up their commitments to making a positive impact in the world by taking actions to address these two issues. Values have been reassessed and reaffirmed – in bold – and over time, this will again lead to a realignment of behaviors and culture. Firms that are slow to respond to these shifting sands may find it difficult to attract and retain the talent they need to be successful.
Michael Sparks will be speaking at CeFPro’s New Generation Operational Risk Europe event in London on 29-30 March, 2022. For the full list of speakers and agenda or to book your place, see page 21 or go to www.cefpro.com/oprisk
The sustainability boom has brought climate change and the environmental, social, and corporate governance (ESG) agenda to the forefront of the corporate boardroom. Boards of directors are leading the way by enhancing corporate governance, transforming management oversight of business activities, and directing senior management to assess the impact of compliance among their stakeholders.
Frank Morisano Chief Risk Officer ICBC
With one billion people expected to be severely affected by extreme weather conditions and climatic hazards, boards have accepted that climate-related risks will impact their organization. They are confronting the associated financial risk by applying the following five principles:
• Starting the conversation to understand the effects through the lens of long-term value creation.
• Determining whether directors understand the risk impact on their business strategy and growth.
• Ensuring their governance framework is responsive to regulatory and stakeholder demands.
• Guiding senior management to develop the required protocols to address performance metric and disclosure requirements.
• Holding senior management accountable to turn commitments into measurable actions.
modifying risk appetite setting, and expanding scenario analysis and non-organic expansion plans.
ESG risks are difficult to assess and measure as they are highly uncertain, non-linear in nature, and affect organizational assets, sectors, and geographies differently. To address business impact, boards have established central coordination activities and enhanced the roles and responsibilities of their organizational model to improve execution, communication, and messaging. This has been proven to promote a culture of appropriate risk accountability among management and employees.
categories to the relevant asset classes, sectors, and geographies to ensure actions are aligned with stakeholder expectations.
Boards have also brought in third-party experts to help them benchmark their organization against ESG governance industry principles, including adapting risk tolerance measurements, improving risk appetite settings, and enhancing risk management frameworks. Additionally, they have quantified their organization’s risk exposure by allowing oversight of climate-related risks under both normal and stressed conditions.
The conversation principle involves the board deploying a leadership commitment to assess whether it has the necessary knowledge and skills to identify ESG risk factors. Effective risk management governance requires a clear alignment between organizational targets and business activities, as products and services that drive profitability today may not be viable in the coming years due to changing climate-related events.
Considering how pervasive the climate topic has become, boards have recruited directors with existing ESG knowledge. However, a greater impact may be achieved by educating the entire board about the topic and its organizational impact. Senior managers such as chief risk officers (CRO) and the general counsel can be instrumental in helping board directors understand climate-related risks, with third parties also playing a role.
The champion of this process is most often the CRO or risk executive, as there is interconnectivity between business strategy, climate-related risks, lending decisions, underwriting of net-zero transactions, stress testing, and disclosure reporting. Risk executives have proven to be effective in embedding a climate-related risk framework into the existing enterprise risk management framework, as well as understanding the organization’s resilience.
Boards have also championed the creation of departments accountable for disclosure preparation, production, and reviewing; ensuring that climate change and ESG information in the company’s financial filings and shareholder reports is correct. The Financial Stability Board Task Force on Climate-related Financial Disclosures (TCFD) framework is accepted by 60% of the world’s 100 largest public companies as the standard for disclosing climate-related financial information to stakeholders, encouraging both forward looking and historical scenario analysis to enhance decision-making.
Globally, regulatory guidance can help organizations understand how best to monitor and oversee ESG concerns using four main categories: governance, strategy, risk management, and metrics.
For example, the U.S. Securities and Exchange Commission has published guidance regarding disclosure related to climate change to complement the TCFD framework. Since investors want accountability, boards have linked the risk appetite framework and created supporting metrics to gauge climaterelated risks. Moreover, boards have expanded staff compensation programs to include achieving ESG milestones and have integrated ESG into the organization’s values.
A key action for the board is to understand the impact of climate change and ESG-related risks on their business model in the short, medium, and long term. This will enable it to guide the organization in identifying how climate-related risks are met by its products and services, as well as understanding how they affect the risk profile. Such assessments can result in organizational change, including improving strategic planning,
Regulators and stakeholders want a comprehensive, cohesive account of an organization’s ESG commitments. In response, boards have directed senior management to evaluate organizational vulnerabilities and threats. The focus is on categorizing the sub-components of climate-related risks and applying these
What an organization does not understand about ESG is a major concern for stakeholders. Investors require robust disclosure information, including metrics, to fulfill their fiduciary obligations. Rating agencies have been known to factor ESG risks into the assessment of the creditworthiness of public and private sector organizations, not least because climate change can significantly affect cash flows and a borrower’s ability to meet their debt obligations.
Recognizing these needs, boards have called for the strengthening of risk frameworks and procedures to ensure the proper controls for monitoring, measuring, and reporting performance.
Senior management has assisted by focusing its efforts on enhancing internal quality controls to confirm performance metrics. Along with the data collection processes, these usually include a common set of data definitions, transparent calculation methodologies, and tested quality controls. In addition, there must be a common taxonomy to foster greater transparency for investors, specifically for financial products labeled green or sustainable.
A key consideration is the placement of disclosure reports, which differ based on stakeholder preference. Common platforms include annual reports, proxy statements, sustainability reports, earnings calls, and an organization’s website.
Climate change poses a serious material risk to all organizations. Board commitment has been vital in ensuring an organization is taking adequate steps to prevent and prepare for any damage resulting from climate change; assume its corporate social responsibility to address climate-related risks; and guarantee investor and stakeholder needs are satisfied. Successful organizational accountability requires senior management and the CRO to constantly scan the marketplace, discover new risks, and focus on key business growth drivers.
Success is attained when the board, senior management, and risk executives speak with one voice, ensuring robust climate change and ESG messaging is conveyed to stakeholders. Resilience can be achieved by the board strengthening the organization’s risk management ability and reporting capabilities; implementing new tools and enhancing data collection to manage the risk impact; and staying flexible to ensure the right dialogue and monitoring are occurring.
There can be no excuse for inadequate preparation, delayed deliberation, or failure to engage in this complex and continually evolving issue. Regardless of an organization’s size or regulatory requirements, both the board and senior management must ensure that discussion of the risks arising from climate change and ESG is a regular agenda item at committee and shareholder meetings.
In preparation for our 11th Annual Risk Americas Convention (New York City, May 10-11, 2022), CeFPro’s research team has conducted an extensive campaign to identify the key trends and challenges facing risk management professionals in 2022. As part of this research project, we interviewed more than 60 experts across a range of risk silos to gain an inclusive, industry-wide view. Here, we reveal which non-financial risks have been highlighted as major areas of focus for this year and beyond…
Across most risk disciplines, cyber risk is cited as a major concern, in particular the evolution of attacks including ransomware. Unlike in our previous research, the focus has now shifted towards business continuity and maintaining resilience in the face of an attack, with businesses keen to accelerate response times to retain control of their systems.
The global pandemic has fundamentally changed both employee work practices and consumer behaviors, introducing rapid change. Almost overnight, organizations had to move to a work-from-home model, despite very few of them being adequately equipped to manage an almost completely remote workforce. This introduced a whole host of potential security vulnerabilities that businesses have had to overcome, not least as a result of employees moving from a secure IT environment to potentially exposed home networks.
As we start to emerge from the pandemic and organizations begin transitioning workforces back to the office, either full time or as part of a hybrid approach, the control environment must once again be adapted to ensure security. An interesting point uncovered during our research is that although working from home carries its security risks, adopting a hybrid model could potentially
open up additional threats with no real control towards either approach.
Aside from homeworking, the pandemic also accelerated digitalization. As the whole customer base moved online, consumers became increasingly expectant of digital services, demanding an immediate response. This in turn created an influx of additional vulnerabilities and raised exposure to cyber threats. Controls to ensure cybersecurity and protect customers and their data must be reviewed post-pandemic as the environment once again changes.
Due to a remote or hybrid workforce, organizations have experienced a heightened susceptibility to compromise and ransomware attacks, and the debate remains as to the best approaches to mitigate their impact. What is in no doubt, however, is that cyber attacks can cause significant reputational damage, making quantifying the risk very challenging. Over recent years, the industry has been victim to a number of high-profile attacks which have highlighted shortcomings across vendors and outsourced services in particular. Regardless of where an attack originates, the reputation of those financial institutions impacted will almost certainly be hit.
The challenge of business continuity and an enhanced pressure for resilience were also highlighted within our research as key areas for risk focus in 2022. The pandemic heightened requirements for effective business continuity frameworks and the importance of keeping ahead of change in a volatile environment. However, for many organizations, pandemic planning was not included within business continuity planning (BCP), meaning that some firms were forced to adapt very quickly to ensure continuity of critical services, both internally and across supply chains and third parties. This rapid change has further highlighted why effective planning processes are needed, as well as the importance of ensuring plans are kept up to date and reflect the current environment.
Closely related to business continuity are enhanced requirements for operational resilience, to mitigate against potential risk of disruption. Organizations must implement effective contingency plans to ensure resilience of their critical processes and systems in order to recover function in a timely manner. A holistic view of the risk landscape across the organization is vital to manage any ripple effects and understand the implications of failure at every point. As we emerge from the grip of the global pandemic, operational resilience is therefore expected to remain a key risk focus area to ensure the future stability of firms’ infrastructures and defenses.
The final area for discussion within this piece is climate change, a topic which has attracted considerable attention over the last few years, and which continues to gain momentum. With such increased attention comes a host of direct and indirect risks, including reputational damage for those not effectively managing their environmental risks, and difficulties in keeping up with competition as market expectations evolve.
Although arguably a financial risk, climate and environmental risks must be reviewed and managed across all areas of the business. However, one of the main challenges to implementing change is data, and identification practices to capture risk in systems – data is required across all aspects of climate and environmental risk management, from internal monitoring and alignment across frameworks to external clients meeting their forecasted targets.
Therefore, as an emerging trend, quantification of climate risk losses remains a key issue, especially across different market segments such as mortgage portfolios and insurance. With so much uncertainty and with implementational challenges ahead, organizations are reviewing their strategies and considering how best to factor climate risks into strategic decisioning.
The global pandemic has fundamentally changed the way we work, do business, and manage our lives on a daily basis, including raising expectations around digital banking. Rapid escalation and changes in practices brought a range of control and security challenges to the fore, though organizations were quick to respond and effectively mitigate the risk.
Changes to working environments altered controls and security measures, and hybrid working remains a challenge as we move towards a new normal. The long term impacts and risks are yet to be realized, but many firms have demonstrated resilience, not only to major stress events but also to rapid change, reviewing their business models and strategic direction and updating their plans to stay agile in a volatile environment.
As we move into 2022, many firms will be looking to recall staff to the office and get back to a new level of business as usual. The risk landscape has changed significantly since the onset of the pandemic and many organizations now look very different, with the creation of new teams dedicated to emerging trends such as ESG. However, what is clear from our research is that as well as heightening the risk level, the pandemic has also seen the evolution of non-financial risks to include new fraud risks, third-party monitoring, and of course, the escalation of cyber threats.
Join us at our 11th Annual Risk Americas Convention in New York City on May 10-11, 2022, to gain a deeper understanding of the critical risk areas affecting financial institutions. See pages 16-17 for full details or register today at www.risk-americas.com
Seth
Giovanetti Senior Director – Operational Risk ManagementHOW HAS THE EMERGENCE OF FINTECH TRANSFORMED THE FINANCIAL SERVICES INDUSTRY?
To put it plainly, the shift towards rapid product and service innovation coupled with the supporting emerging technologies puts organizational culture at the forefront of this discussion. In my opinion, culture equation becomes the primary success factor and key differentiator for new entrants trying to make their impact and wrest market share from traditional financial services organizations.
The integration of the disruption mentality has fundamentally changed the way the industry operates and introduced many challenges. The increasing focus on evolving technology, innovative product development, and people-centric customer service operating models dictates the entire existence and relevance of a modern-day financial services firm. As a result, organizations must promote, support, and most importantly, incentivize cultural change to understand which product attributes and company mission directives resonate with their existing and target customer base.
The companies that can break through their traditional norms and transform their culture to accommodate a more nimble, dynamic, and decentralized operating model will be the ones to succeed in the modern banking arena.
WHAT DO YOU SEE AS THE KEY PARTNERSHIP OPPORTUNITIES BETWEEN FINTECH AND THE FINANCIAL SERVICES INDUSTRY?
Over the next few years, I expect to see increasing merger and acquisition activity in this space as small to medium firms look for partners with complementary capabilities to expand their product and service offerings.
This will be especially true in digital banking and lending, where many firms have built their businesses around a limited core set of products and service offerings. Due to these firms’ success in delivering a high-quality customer experience, customers in turn are becoming more sophisticated. As the technology becomes more ubiquitous and adoption rates increase, they are now demanding a more complete centralized digital experience when it comes to managing their money online, especially as they become older and need broader based retirement and planning services.
When it comes to legacy financial institutions, the key factor in remaining competitive will be how they decide to position themselves to take advantage of new opportunities for which they may be unequipped, either operationally, technologically, or culturally. Many of these companies have attempted to create so-called ‘innovation centres’ (or similarly named teams or departments), tasked with developing cutting edge, next-generation products or services. However, in many cases, they are still heavily influenced by the same traditional limiting factors of culture, internal politics, or strict performance standards as the rest of the organization and ultimately fall short of expectations.
Legacy banks should instead view fintech companies as partners rather than competitors since they offer faster and better technology enablement that can fundamentally change the traditional go-to-market approach followed by most banks. Those organizations that firmly embrace change and adapt accordingly will significantly streamline their path to innovation.
GIVEN YOUR BACKGROUND IN FINANCIAL SERVICES AT TIAA AND NOW OPORTUN, WHAT OPPORTUNITIES DO YOU BELIEVE CAN BE LEVERAGED?
I am a big believer in optimizing the enterprise and operational risk functions into a key strategic differentiator. This concept has been around for a few years now, and whilst many companies have the desire and intention to maximize the value of the function, very few have successfully tuned their programs to this level.
However, in the fintech arena, I have found the mentality towards risk and compliance functions to be very different and, frankly, quite refreshing. The fintech community generally focuses on doing the right thing in the eyes of its customers, employees, and investors (and regulators, where applicable). As a result, it has taken the approach of building and implementing strong risk management functions regardless of whether they are required by regulation. In addition, these functions have an equal seat at the executive table and within an organization’s risk culture and mindset, and are regularly reinforced across all lines of business and support functions.
The general approach by fintechs is to embed risk programs into every aspect of their business, taking a data-centric viewpoint and instilling a strong risk mindset as the company grows and matures. Incorporating risk information will ultimately ensure that key inputs are woven into every aspect of strategic planning from product development to expansion plans and will reinforce to customers and investors that their best interests are front of mind.
WHAT DO YOU SEE AS THE FUTURE OF FINTECH?
One of the biggest opportunities is open banking and the desire to increase connectivity between financial tools and services. The move away from relying on outdated technology and associated customer engagement models, where traditional institutions exert the most control, towards a dynamic, fluid, highly customizable, and customer-driven experience is a trend that will continue to grow in popularity in the coming years.
There will also be a proliferation in the use of application programming interfaces (APIs), which allow customers to make connections with third-party providers outside of their known banking universe by sharing their financial data profiles in a safe and secure manner. APIs also enable research and engagement opportunities with companies that provide customized, customer-controlled products and services, along with easier and expedited access to personalized financing and credit vehicles.
This segment will keep evolving as customers become increasingly aware of and comfortable about how their information is used and stored, especially as they see benefits from the bespoke nature of products and services that will be accessible to them as a result.
Seth Giovanetti will be speaking at CeFPro’s Risk Americas event in New York City on May 10-11, 2022. To book your place, see pages 16-17 or go to www.risk-americas.com
HAVE YOUR SAY IN OUR LATEST SURVEYS...
With traditional credit and market risks now better understood and controlled within the financial industry, NFR Leaders strives to provide insights, support, and benchmarks for organizations as the traditional operational and non-financial risk arena continues to evolve, expand, and gain significance.
Take part in our research study to share your views on the most pressing operational and non-financial risks affecting the industry today. Areas covered include technology advances, governance, regulatory compliance and many more.
The regulatory vice is tightening around ESG matters, with banks incorporating ESG mandates into their operations. Consequently, banks are prioritizing governance (i.e., data management, systemic risk management, business ethics, management of legal and regulatory environments) over other ESG factors. While some institutions are adapting by investing in new technology, others are failing to prioritize their ESG reporting requirements. And although some firms rely on ESG-centric data over other forms of measurement – such as public data, third-party research, or the media – quality and consistency cannot be guaranteed, and may be improved with automated, centralized data. Share your views on this emerging topic
THE CORONAVIRUS PANDEMIC AFFECTED THE FRAUD THREAT LEVEL ACROSS THE
Identifying, combating, and preventing fraud have long been key concerns for banks and financial institutions. But since March 2020, the threat level has shifted, with the pandemic prompting fraudsters to devise new and inventive ways to scam consumers and organizations alike. As the industry races to protect itself and its customers from criminals looking to exploit our new ways of working and living – particularly in regard to increased remote working and the rise of e-commerce – we look at the scale of the problem across the US, the UK, and the wider global economy…
Join us for the welcome return of CeFPro’s 11th Annual Risk Americas Convention, LIVE for the first time since 2019!
Taking place in New York City on May 10-11, 2022, this premier event will bring together over 500 attendees for unrivalled in-person networking and learning opportunities, uniting industry thought leaders with a packed two-day program covering key topics such as geopolitical trends, latest regulation, ESG, and cyber risk.
Over 60 expert speakers will share their knowledge and insight across three separate presentation streams, giving delegates the option to deep dive into their specialist area or broaden their learning across the two days. For the first time, there will also be the opportunity to join our NEW Interactive Workstream; a closed-door setting allowing for in-depth discussions on key areas such as cryptocurrency and data governance. Informative pre-event masterclasses complete the offering, delivering a comprehensive suite of educational opportunities for Risk Americas attendees.
breaks, lunch, and our exclusive drinks reception. With the world finally able to interact again in person after two years of lockdowns, remote working, and virtual events, we expect demand to be high!
We look forward to seeing you in New York on May 10-11. Register today at www.risk-americas.com
Becky Schauer Robertson
Senior Vice President, Director Financial Investigations Unit
Atlantic Union Bank
How has the BSA/ AML landscape evolved over the last few years?
Since the USA PATRIOT Act was enacted in 2001, the first line of defense has played a more present role in Bank Secrecy Act/Anti-Money Laundering (BSA/ AML) compliance. However, fast forward to 2018 – when compliance with the Customer Due Diligence Final Rule became mandatory – and the first line of defense undoubtedly transitioned to become the cornerstone of achieving compliance. Not only is that line of defense responsible for gathering information for currency transaction reporting (CTR); money instrument log (MIL) requirements; identifying and internally reporting suspected suspicious activity; and Customer Identification Programs (CIP); but it is now also vital for the collection of customer due diligence and beneficial ownership at the time of account inception.
How can artificial intelligence (AI) and machine learning be leveraged to detect AML and fraud?
Detecting AML and fraud is more than setting a few stagnant rules and reviewing the alerts generated from those specific incidences. As money launderers and fraudsters become increasingly astute, it is also necessary to analyze and understand patterns, and be able to spot changes in those patterns.
Using AI provides a platform of consistency and non-disparate considerations; however, it is unlikely that the human element will ever become obsolete from the process. Just like the initial input of due diligence information, evolving strategies and current trends will need to be programmed into systems, allowing the AI to ‘learn’ what is expected to be present, and be alert to anything that either hits on that activity and/or deviates from it. From a fraud perspective, AI can certainly help with moving to a proactive program versus a reactive program, and in the case of both AML and fraud, reduce false positives and increase accuracy.
How has the pandemic impacted the AML/ financial crime landscape?
For me, the two most significant impacts are the adoption of online services such as banking and shopping by people that may have previously resisted them; and the emergence of multiple
fraud schemes, e.g. Payment Protection Program (PPP) and unemployment fraud.
Financial institutions have realized that there is a need to evolve technology and consider fintech partnership opportunities, both of which may only have been future long-term considerations pre-pandemic. Additionally, fraud schemes are becoming more prevalent and occurring faster. Financial institutions must be more proactive and find ways to talk to each other, share information, and work together to thwart the fraudsters.
Banks that have been using the LIBOR/interest rate swap curve as the basis for funds transfer pricing (FTP) must make changes to replace LIBOR as it is phased out. Newly available interest rate index curves can contribute to a superior basis for FTP.
An effective FTP must accomplish at least three things: accurately reflect the interest rate environment; appropriately reflect a bank’s market cost of funding in varying environments; and be able to separate interest rate and liquidity components for floating rate and indeterminant maturity instruments. These three principles alone set a high bar for replacing LIBOR and highlight the challenges of using a single index for both interest rate and liquidity FTP.
Most large banks are adopting SOFR as their LIBOR replacement for use with floating rate loans and for hedging. Many mid-tier banks are gravitating to Ameribor and BSBY, which provide rates based on an aggregation of unsecured bank funding transactions.
financing costs. These two indices provide a composite FTP curve capturing interest sensitivity, liquidity, and credit sensitivity.
Using these elements, a fully specified FTP curve that separately captures interest sensitivity, liquidity, and credit sensitivity can be built to meet the criteria set above. As shown here, a robust FTP curve can be created by combining SOFR, a risk-neutral premium, and Ameribor or BSBY. Combined, these elements send appropriate signals on valuation, pricing, and performance in all interest rate and economic environments.
From a fraud perspective, AI can certainly help with moving to a proactive program versus a reactive program, and in the case of both AML and fraud, reduce false positives and increase accuracy.
If we take a building block approach to constructing an FTP curve, we can consider how these curves could contribute to meeting our principles. SOFR accurately reflects the interest rate environment. Separately, Ameribor and BSBY provide a term structure of interest rates representative of unsecured
To read the full version of this article, go to: https://empyreansolutions.com/news-and-resources/
Most financial institutions are anxiously awaiting the guidance for beneficial ownership. How will the new FinCEN registry affect current regulation?
Of which key changes within the AML Act should institutions be aware?
The other essential change will be incorporating FinCEN Priorities into a financial institution’s risk-based suspicious activity monitoring program. Technology adoption will be key to transforming and gaining efficiencies and being able to keep up with the ever-evolving landscape.
How do you see detection and monitoring evolving over the next three years?
Technology advances will be critical, and the creation of dedicated AML and fraud technology positions will be required. Real-time monitoring and collaboration across financial industries will also be essential for the future. Artificial intelligence that can be applied to all types of products, services, and transactions must be ahead of the curve (e.g. monitoring virtual currency). Finally, partnerships with fintechs to provide the expertise that many traditional financial institutions lack will become the norm.
Becky Schauer Robertson will be speaking at CeFPro’s Risk Americas event in New York City on May 10-11, 2022. To book your place, see pages 16-17 or go to www.risk-americas.com
The 11th Annual Risk EMEA Summit returns to London on 13-14 June, 2022. This year’s agenda is divided into three individual workstreams – Financial Risk, Non-Financial Risk, and The Future of Risk Management – and is set to cover such wide-ranging topics as ESG, macroeconomic views, climate stress testing, cyber risk, inflation, digitalization, and much more.
Enjoy live presentations by over 70 industry leaders from prestigious institutions, including: Barclays, JP Morgan, Lloyds Banking Group, NatWest Markets, Credit Suisse, Bank Of America, UBS, Credit Agricole and many others.
BUSINESS STRATEGY
Adapting business strategy within a changing environment MARKET EVENTS
Reviewing preparedness for past market events and how to anticipate future events
EMERGING RISKS
Monitoring emerging risks on the horizon and developing effective mitigation strategies REGULATION Assessing how the regulatory agenda is transforming banking
Sean Titley
Director of Enterprise and Operational Risk Metro Bank (UK)
HOW ARE RISK ASSESSMENTS AND MANAGEMENT OF DATA CHANGING?
The Supervisory Statement SS2/21 ‘Outsourcing and third party risk management’ sets out the Prudential Regulation Authority’s (PRA) expectations of how PRA-regulated firms should comply with regulatory requirements and expectations relating to outsourcing and third-party risk management.
It requires additional steps to be undertaken in the assessment of third parties, including:
• Treating material non-outsourced third parties with the same rigor as outsourced third parties.
• Minimum requirements for the risk assessment of such parties, focusing on data security, access, audit and information rights, sub-outsourcing, and business continuity and exit strategies.
• Governance, policy, and documentation requirements.
• A shared responsibility model for cloud service providers.
In relation to data management, the Statement includes requirements for:
• Classification of relevant data.
• Identifying related risks and impacts.
• Appropriate levels of availability, confidentiality, and integrity of data.
• Assurance and documentation from third parties regarding the provenance or lineage of data.
WHAT ARE THE ESG RISKS ACROSS SUPPLY CHAINS, AND HOW CAN THESE BE MITIGATED?
Climate footprint, social responsibility, and governance should all be considered when assessing suppliers. Any requirements included within underlying documentation/service level agreements (SLAs) should also be adhered to.
WHAT ARE THE CHANGES TO OUTSOURCING REQUIREMENTS UNDER RESILIENCE REGULATIONS AND WHAT DO THEY MEAN FOR INSTITUTIONS?
SS2/21 is a sister paper to SS1/21, which relates to operational resilience. SS1/21 includes requirements for third parties, including ensuring that firms remain
within impact tolerances for important business services when using third parties; so SS1/21 largely refers back to SS2/21 in this respect.
HOW CAN THIRD PARTIES’ CYBER RISK PREPAREDNESS BE REVIEWED AND MONITORED?
Firms’ information security teams must be an integral part of the review of key suppliers to ensure that the necessary steps are in place to protect them from a cyber attack. For material third parties and cloud service providers, detailed requirements are set out in SS2/21. If a third party becomes the target of a cyber attack, firms’ information security departments should provide appropriate advice and assistance where possible.
HOW CAN THIRD PARTIES DEMONSTRATE RESILIENCE?
Third parties can demonstrate resilience by evidencing compliance with the regulatory requirements set out above, including demonstrating that they have defences against a potential cyber attack, such as regular patching and penetration testing, strong data security measures, and robust business continuity arrangements. Allowing access for an inspection or audit of their resilience preparations is also crucial.
OPERATIONAL RESILIENCE
Reviewing requirements and regulatory expectations for operational resilience and progress towards implementation
EMERGING TECHNOLOGY
Managing pace of rollout of new technology advances and mitigating increased operational risk
THIRD-PARTY RISK MANAGEMENT
Maintaining oversight and control of third parties in a changing environment
DATA ANALYTICS
Leveraging data analytics for a full view of risk profile and customer insight using, managing, and organizing data
CYBERSECURITY VULNERABILITIES
Navigating evolving threats and the increased use of tactics including ransomware
CONDUCT RISK
Developing frameworks, processes, and controls to address conduct risk with remote and hybrid working
FRAUD AND FINANCIAL CRIME Managing increased propensity and evolution of threats across the fraud landscape
CLIMATE RISK
Understanding exposure to climate risks and impact to operational risk frameworks
Updated daily, our members’ hub hosts over 100 articles written exclusively for CeFPro by key representatives from some of the world’s leading financial institutions, providing unrivalled industry insight and knowledge.
Read and download our industry-defining surveys and research reports, including Fintech Leaders, Non-Financial Risk, Working Finance in a Post-Covid World, Cash & Treasury Management Best Practices, and more.
Watch a wide range of webinars on-demand for free, covering a variety of topics such as proactive risk management strategies, cloud-enabled risk management, embracing technology to transform insurance, and many more.
Coming soon for Premium members – never miss available presentations from our industry-leading events! Exclusive access to ALL available presentations from every CeFPro event will be available via our Premium Members’ Hub, due to go live in the coming weeks.
RELAUNCHED MEMBERS’ HUB COMING SOON
• Personalized article recommendations to suit your interests
• Single focal point for all CeFPro activities including event registrations
Are you taking advantage of all the benefits CeFPro membership has to offer? Our FREE members’ hub hosts a wealth of resources to accelerate your learning and ensure you’re always up to date with the latest trends, data, and information from the world of financial and non-financial risk. Head over to www.cefpro.com/membershub and register today for exclusive access to the following industry insights… Register for CeFPro membership today at www.cefpro.com/membershub
View presentations, panel discussions, and interviews from a diverse range of financial institutions, including SEB, Intesa Sanpaolo, Natwest, Clydesdale Bank, Bank of the Sierra, and UBS.
The industry’s reliance on outsourced services from vendors and third parties shows no sign of slowing down. As part of our research to shape the agenda for CeFPro’s Vendor & Third Party Risk events, taking place this June in New York and London, we asked some of the industry’s key players to share their views on the greatest threats to vendor and third-party risk in 2022…
Madiha Fatima Director, Third Party Risk Management
Did you miss Issue 1 of our bi-monthly non-financial risk magazine? Download previous editions of iNFRont, written for the industry by the industry, to ensure you’re always in the know.
Look out for our new and improved members’ offering, including our exclusive Premium Members’ Hub, launching soon at www.cefpro.com, featuring:
• Exclusive discounts on event tickets
• Priority pre-launch agenda access to some of our biggest events
Angelo Gordon Cyber, resiliency, and continuous monitoring are key vendor and third-party risks for 2022. It’s crucial to design a robust and adaptable third-party risk management framework that can not only address the emerging risks but can also enhance and tailor monitoring as needed to ensure governance and verification of controls. With changing technology and an increased reliance on offshoring, cloud, and data hosting, risk experts should be challenging their firm’s risk frameworks and strategies periodically and developing solutions that address the evolving emerging risks.
Alpa Inamdar
Transformation Leader
AIG
Executives and boards are requiring greater transparency of third-party risk management for 2022, focusing on metrics and data. Third-party risk management must be looked at in a holistic or comprehensive manner given its cascading risk. Metrics will therefore play a critical role in managing supplier risk. Some of the ways to overcome this challenge are to standardize taxonomy and processes across all functions; KPIs and KRIs; cloud computing risk; and fourth and fifth party that measure overall risk.
Deniz
Tudor Head of Risk Strategy, Comenity and Comenity Banks Cyber and ESG remain the biggest risks in the vendor and third-party space but 2022 will also be dominated by supply chain issues. Pandemic induced supply chain risks will have repercussions for the macroeconomy, and business managers will have to brace for the impact of reduced staff and inflation. An emerging risk in the vendor and third-party space will be through open banking services and related cyber and data privacy risks.
Brendan P. MurphyVice President, TPRM Fourth Party RCS & Quality Assurance
U.S. Bank
Without question, the biggest threats facing vendor and third-party risk in 2022 are cyber, resiliency, cloud, new products and services – especially with the rise of digital assets and the underlying technology –offshoring, and Nth party. Having a risk framework that addresses all of these emerging and emerged risks will remain a regulatory expectation.
Any views expressed are those of the individual and do not necessarily reflect the organization they represent.
Registration is now open for CeFPro’s 7th Annual Vendor & Third Party Risk USA and Europe events (June 1-2, 2022, NYC/15-16 June, 2022, London).
To book your place at the USA event, go to www.cefpro.com/vendor-usa
To book your place at the Europe event, go to www.cefpro.com/vendor-europe
Reviewing the evolving landscape and future of regulation, ESG USA looks to bring together industry experts from a diverse range of financial institutions across banking, insurance, assets, and investment management.
Back by popular demand as a live event after the success of the 2021 virtual event, Advanced Model Risk USA delivers insight on the evolution of model risk and the future of technology.
Fraud & Financial Crime USA returns as a live event in 2022, uniting the industry to share insight into topics including AML, sanctions, cyber risk, identity theft, scams, and much more.
CeFPro’s flagship event, Risk Americas, returns May 10-11 in NYC. Boasting over 60 speakers, three individual streams, closed-door breakfast briefings, case study dedicated track, and three workshops over four days, it also features extensive networking opportunities and an agenda that can be tailored to attendees’ individual needs.
Treasury and ALM USA boasts keynote sessions on areas including regulation and US recovery, before dividing into two streams, allowing attendees to build a tailor-made agenda.
Vendor & Third Party Risk USA brings together industry thought leaders to advance the ever-evolving regulatory and technical landscape. Join us as we deep dive into key challenges and innovations within vendor and third-party risk.
over
For more information, including
and registration, visit www.cefpro.com/forthcoming-events/