This is an excerpt from The Future of Risk Management and Compliance 2023 report.
Within the context of these arising risks, financial institutions are looking to increasingly sophisticated ways of preparing themselves for these events, and the crimes they make institutions vulnerable to.
Roshni Patel, Quantexa, refers to these global events as, ‘Black Swan’ event, stating: “Financial institutions need to be prepared today, for a new Black Swan event that could be tomorrow. The underlying risk for financial institutions is not being able
to make data-led intelligent decisions. Research Quantexa conducted in January 2023, shows that fewer than a quarter (22%) of IT leaders believe that all business units trust the accuracy of data available to them. More than two in five leaders (43%) do not
think their organisation is maximising the value of its data.”
Patel continues: “Many FIs are currently unable to understand how first�order and second order impacts combine to affect the risks facing their organisation. Risk assessments are currently being made in isolation and usually too long after the fact to be
of use in real-time. In rapidly changing circumstances, siloed and laborious risk assessments has left financial institutions exposed.”
As shown in the diagram, many financial institutions are readying themselves for an increased level of financial crime throughout this year due to the global economic circumstances.
Matthew Peake, Onfido, notes that this is a continuous problem for these companies: “Identity fraudsters have moved from attacking companies during business hours to deploying sophisticated tactics and leveraging technologies, like AI, to develop convincing
spoofs on-demand and at scale. They now attack consistently 24 hours a day, seven days a week, and this requires companies to be vigilant and have robust prevention strategies in place. Having a dedicated fraud team, who monitor risks and trends around the
clock, will help organisations stay one step ahead.”
Indeed, concerns over cyber security and data privacy are growing. The old ways of mitigating these risks to regulation and compliance are now making way for those more modern and digital forms. Digital transformation offers many financial institutions the
opportunity to manage some of these changing regulatory and compliance circumstances. However, this does come with downsides which can cause increased opportunities for risks.
Patel describes digital transformation as feeling like a “Catch-22.” She continues: "The project reduces risk in one area only to increase it somewhere else. These efforts have broadened the risk vectors facing financial institutions, from emerging risks
such as cyber-crime to the difficulties associated with analysing non-conventional, unstructured data.”
James Maxfield, head of product and solutions at Duco highlights some of the faultlines which are presented through automation in digital transformation: "Digital transformation should be reducing risk through increased automation and better access to timely
and accurate data. But some of these risks have been replaced by third party vendor risk in some cases where a vendor becomes a critical dependency for an organisation. If not handled correctly, there is also significant risk of institutional knowledge loss
through automation, where 'as-is' and 'to-be' processes are not captured and documented correctly. These failures by business architecture functions (if they even exist) are often on unintended consequence of transformation, where poor knowledge retention
becomes exposed in times of market stress or ongoing business re-engineering projects.”
However, despite this Balani argues: "The risks themselves are not changing, what’s changing is the ability to quickly assess risks. With digital transformation you have the ability to do real-time assessments.”
This shows the double-edged sword of digital transformation. There has never had some much data and the tools to be able to protect resources and remain compliant. Yet, this comes with risks of its own, especially when it comes to these new tools being protected
against cyber criminals and protect the data they have.
Data is a key area where digital transformation remains a concern, Vall Herard the CEO and co-founder of Saifr, a fintech specialising in regulatory tech, points to the digitisation of products and services which "can lead to an explosion of data. This data
must be secured so it can be utilised by companies seeking reinvention to keep pace with competitors. This reinvention can introduce risks into the reengineering of the operational stack. For example, the digital environment must allow for the protection of
data against the risk of fraud or breach in order for the digital ecosystem to gain client trust. This protection has to happen no matter the state of the data. Any lapse in protection could present a catastrophic risk.”
Peake also notes that digital transformation has had important benefits to financial services: "The level of digital transformation over the past few years has resulted in significant improvements to online user experiences, such as in remote onboarding,
and has supported the growth of the digital economy.”
But, like other commentators, Peake points to similar downsides to these advances: “The burgeoning fraud rates suggest it is necessary for businesses to understand these risks in order to effectively mitigate them. Technologies such as AI and biometrics
provide a high assurance that a person is who they say they are when compared with other forms of verification, such as a username and password. These solutions are not only effective in deterring fraudsters, but can also help manage other risks - such as
regulatory compliance.”
Davies notes that some of the problems that were being faced in this areas: “Traditionally, you would go into a bank and confirm your identity with a variety of physical documents such as a passport and utility bills. With the advent of digital banking,
new data points like IP addresses, GPS coordinates, IMEI numbers, session data and more are useful in protecting all participants in the financial system. Further, with the advent of open banking and the introduction of fintechs into the financial services
supply chain we must ensure that these endpoints do not offer criminals access into the system to conduct financial crime.”
Patel argues that digital transformation comes down to the individual bank: “Organisations need to determine where digital transformation efforts will have the most impact at reducing broader risk. For example, processing bounce back loans quickly, led to
large amounts of fraud. Implementing systems that allow banks to make real-time decisions and make decisions based on a range of contextual information improves the end-user experience and reduce fraud. The best strategy for financial to mitigate risk vectors
is by ensuring their as agile as possible in preparation for the unforeseen.
This is something which a Santander spokesperson offers an example of them doing themselves: "Having a resilient IT system is key to mitigating the risk of our increasing reliance on technology and we’ve been putting in place a number of programmes to ensure
that as Santander UK becomes more digital we don’t open ourselves up to the risk of significant service disruption. This has required significant investment in our operations teams as well as cooperation between our customer facing teams and support functions
to build systems that deliver for the customer whilst remaining resilient."
Communicating concerns is the first step to remaining compliant
Considering this risk landscape and the digital tools available, it has never been more important for corporate structure and communications to be on the same page about the risk they are facing. It is important within these organisations that there is an
equal perception of risk from those in executive positions to those further down, and the ability to communicate those concerns throughout the structure to remain compliant.
Peake argues that this balance has been met: “In recent years, how businesses approach and perceive risk has evolved. What could once be considered an ad-hoc exercise designed to ensure the appropriate checks and balances are met, risk has out of necessity
become ingrained within the corporate mindset. Businesses are today battling challenging macro-economic conditions, and heightened external threats like cyberattacks, and so risk must be monitored, discussed, and reviewed in every meeting and play a part in
every decision. That’s how privacy, security and reputations are maintained. And it’s this rigorous approach that ensures that the tone for risk tolerance remains consistent at all levels within the business, and informs strategy and objectives - from the
c-suite to each team and division.”
It is clear that the reputation for a company’s compliance can start at the communication level. Santander gave a practical example of how they do this: "Compliance should be embedded throughout a financial institution to ensure that departments have the
right skills and knowledge to recognise compliance risks and mitigate these as they arise. This requires good cooperation between line 1 and line 2 teams when looking at product development, with a strong review structure. It’s also important that financial
institutions have a good audit culture that regularly reviews products and processes and can identify concerns.”
Maxfield argues some of the problems that companies face in reaching this level of communication: “Best practice should see a seamless flow of trusted risk data flowing up to the executive level to give an aggregated risk view which is consistent with underlying
constituent parts owned by the functions. The reality is that fragmented (and typically incomplete) data sets required functional process owners to spend a considerable amount of time manually enriching and scrutinising data. This is expensive (in terms of
time and the expertise required to make these judgement calls) and prone to manual error, where the process of aggregation and validation has become heavily reliant on human intervention.”
Maxfield further recommends “daily escalation meetings, data reviews, risk, and control oversight meetings increase in frequency and intensity, which is challenging for organisations to respond to as they don't carry spare capacity to deal with this change
in operating rhythm.”
Davies also mirrors this point: “Managing financial crime holistically and encouraging collaboration are key to the industry being more effective in combating financial crime. A recent trend has been to use common alerting and case management solutions to
facilitate collaboration. Financial institutions have increasingly sought to remove silos across their risk and compliance teams by consolidating skill sets to enable a more coordinated approach.”
Davies gives the example of this trend, that he has observes some financial institutions unifying once disparate fraud and AML teams into a single multi-skilled team capable of managing both fraud and AML risk. He notes that, “regular monthly reporting,
shared and discussed at cross-functional committees, is the most common method for disseminating compliance concerns.”
Balani argues that how we communicate has not changed within teams, and access to email and instant messenger applications has made this easier. With regards to the senior management positions he argues: "The topic of compliance has become quite a significant
issue amongst senior management as they have seen a lot of these banks being penalised over time. So there's a greater awareness of the impact of compliance and greater awareness of the compliance risks, that actually brings more attention to the compliance
teams. Even with this downsizing that we're currently seeing in the industry and financial institutions, compliance budgets are not affected.”
Davies concludes: "It is incumbent on executives to set a tone from the top in support of effective financial crime risk management. Individuals below the executive level need to reinforce the culture of financial crime prevention diligence and vigilance.”