Recently one news article caught my attention and reminded me of an exceptional experience of my trading days. A German bank accidentally transferred more than 5 billion euros to four other banks due to some internal system issues. Interestingly, this is not the first time for this bank. Even earlier, just when Lehman Brothers filed for bankruptcy in 2008, the bank transferred 320 million euros to Lehman Brothers. Some other banks have also faced similar situations in past. These incidents highlight how critical it is to manage operational risk within an organization. More importantly, in a world where technology is growing at a very fast pace, managing efficient IT systems become a matter of paramount importance.

Ever since Globalization hit the Indian market, lots of foreign investment has been flowing in India. In the early 2000s, there were situations when the every major Indian bank was flush with foreign funds. A decent amount of USD funds were available in our Bank’s Nostro accounts regularly. We used to place them as overnight deposits with counterparty banks and back office used to settle funds as per counterparty’s instructions.

Those days, our treasury department did not have a well-integrated front to back office IT System and most back office operations were manually managed. One day, the counterparty bank modified their settlement instructions, which our back office did not notice and transferred the funds (USD 125+ Mio) to their regular account. The counterparty expected us to settle and hence utilized the funds further. It triggered an overdraft in counterparty’s account. Our internal systems and procedures failed to alert it until the next day when counterparty bank came back to us. All this resulted in a loss of around $22k, due to overdraft interest. This was a classic example of an insufficient technology solution, coupled with human error.

As per Bloomberg report, inadvertently, in this case, the internal IT systems of the German bank released multiple payments. Internal checks and controls of the bank did not warn this critical software blunder. The central bank detected this error and notified it to the concerned bank. Though the bank recovered the money, but it highlights the risk an inefficient IT system can pose to the financial stability of an organization as well as to the entire market.

Over the years, Regulators across the globe have emphasized upon the banks to formulate a Comprehensive Risk Management policy and take necessary steps to mitigate risks. Basel committees have issued specific guidelines over the years.

Basel II had defined seven event types with reference to operational risk covering all the operational aspects of banks. Two relevant ones are –

• Business Disruption and Systems Failures 
• Execution, Delivery, and Process Management

In the current example, though it was not a complete failure, but a software system deficiency had resulted in multiple erroneous settlement payments out of the bank. It also underlines the benefits of the right execution process of managing settlements within the bank.

Basel III guidelines focus on to strengthen the regulation, supervision, and risk of the banking sector. Pillar 1 of these guidelines, developed by the Basel Committee on Banking Supervision, specifies Minimum Capital Requirement for total risk (Credit Risk, Market Risk as well as Operational Risk). The second pillar stresses upon the need for an Enhanced Supervisory Review Process for Overall Risk Management and corresponding Capital Requirements.

Risk managers are using various complex mathematical models to measure and evaluate credit and market risk. In such a scenario, a risk associated with technology solutions cannot have a subordinate treatment. Comprehensive risk management framework should include all the operational risk factors including the IT systems. For past many years, technology has become an integral part of human life and Financial Industry is one of the leaders in realizing its benefits. One side, we are progressing towards Blockchain technology to gradually support many Back office operations and another side, some existing legacy applications lack basic operational checks.

It is the pertinent time that each institution invests right resources in ensuring that operational risk arising from technology is duly assessed and adequate risk mitigations are in place. Additionally, in a rapidly changing environment, Bank Senior management must pay attention to upgrade/ overhaul existing IT system landscape. Banks should develop a robust process for any enhancement in their IT applications. The process should follow a defined software development cycle by involving both Business and IT stakeholders so that proper impact analysis and testing completes before any change released to primary production applications. A comprehensive process will be beneficial to lessen critical business disruption.

Senior Management of the bank should form a detailed Operational Risk Management policy (Covering IT System Risks too) and this should be reviewed at a periodic interval to accommodate updated risk assessment and risk mitigation policies. This will help to avoid unwanted regulatory audits, stringent capital requirements and more importantly, any damage to the reputation of the bank.

Image Courtesy Google Images