Transcription

WHITE PAPERDIGITAL RISK MANAGEMENTIN BANKING

Banks are not new to the concept of digital risk management. Some of the veryfirst digital technology was developed as early as 1939,1 and banking was likelythe first private sector industry to widely apply digital technology to its day-to-daybusiness activities.A SHORT HISTORY OF SELECTED BANKINGTECHNOLOGYNotable applications of digital technology in banking include the following. In 1956, the American Banking Association adopted technology introduced byBank of America that employed magnetic ink character recognition (MICR) tocapture and sort physical checks. This innovation reduced the time to processchecks by 80%.2 This check-processing technology has become universallyaccepted throughout the banking industry. In 1967, Barclay’s Bank was the first bank to introduce an automated tellermachine (ATM) to dispense cash. Today, there are well over 1.7 million ATMsin use worldwide.3 Cash and checks used to be the sole means by which individuals would payfor the goods and services they received. In the 1950s credit cards wereintroduced, followed by debit cards in the 1960s and automated clearing house(ACH) payments in the 1970s. Each of these digital innovations dramaticallytransformed how banks extended credit and disbursed funds from customeraccounts, and how businesses disbursed employee payroll (which was oncedisbursed in cash or check but is now disbursed by ACH credits to employeebank accounts). While these technologies have not yet entirely supplanted theuse of cash and checks, they are well on the way to doing so.Source: Federal Reserve Payments Study: 2018 Annual Supplement, Board of Governors of the FederalReserve System ITAL RISK MANAGEMENT IN BANKING 2

Each application of digital technology in banking has created the opportunity toenhance positive customer experience, grow revenue through new and expandedservices, and process transactions more efficiently, effectively and at lowercost. However, with every opportunity digital technology has provided to banks,customers and counterparties, it has also transformed existing risk and oftenintroduced new risk.With every opportunitydigital technologyhas provided tobanks, customers andcounterparties, ithas also transformedexisting risk and oftenintroduced new risk. The application of MICR to automate check processing dramatically increasedthe speed of check processing and significantly freed up human resources,increasing revenue and reducing expenses. By carefully choosing the routechecks would take to settle, banks increased revenue by speeding up theavailability of customer check deposits and delaying the clearing of customercheck payments. Manipulating check routing allowed banks to use customermonies for longer durations, providing banks with more funds on which theycould generate interest income.The automation of check processing changed the risk of misrouted andmisposted checks from a discreet event associated with human, clerical error,into a systemic risk associated with the threat of malicious and accidentalcomputer programming errors. These systemic errors resulted in entirebatches of hundreds or thousands of checks being misrouted, disrupting thebank’s liquidity and introducing the need, on occasion, to correct much largernumbers of misrouted checks and associated customer compensation claims.In addition, decisions about routing checks not only had to consider howto maximize the duration of use of customer funds but also required banksto begin to seriously consider risks associated with the counterparties towhom the checks were being routed. If the counterparty receiving the checksexperienced financial or operational problems, it was possible that the bank’scheck settlement would be delayed. If the counterparty became financiallyinsolvent, the delay in settlement could take months, very much impairing thebank’s own liquidity. Consequently, counterparty risk management becamea best practice.The automation of check processing was initiated and managed by the bankingindustry itself, in the absence of any significant regulatory guidance. It wasn’tuntil 1987 that the U.S. Congress passed legislation to address concernsabout the length of holds banks were placing on checks deposited by theircustomers.4 Over the following 15 years, various regulations effectivelyeliminated banks’ ability to exploit the use of customer funds throughcheck routing because banks were obligated to provide funds availability tocustomers as quickly as the funds became available to the bank.Through process automation delivered by MICR technology, risk wastransformed from solely being associated with low-velocity operating errors tohigh-velocity risk, with significant financial and regulatory ramifications.DIGITAL RISK MANAGEMENT IN BANKING 3

The widespread deployment of ATMs and supporting ATM networks gavebanks an opportunity to grow their customer base without significantinvestment in new buildings and support staff, and to retain customers at verylow cost as they moved about geographically. ATMs enabled smaller banksto compete with larger banks within the same market footprint by simplyexpanding their ATM networks. It also allowed larger banks to penetratesmaller markets by installing an ATM in lieu of a bank branch.The threat of lost and stolen cash expanded from teller theft and branchrobbery to the physical theft of whole ATMs, cash mishandling and theftby third parties contractually engaged to maintain the ATMs, the physicalprotection of customers using ATM machines, and resilience of the ATMnetwork to ensure uninterrupted service. ATMs also introduced new, uniquelydigital fraud sources such as lost and stolen ATM cards, unauthorized ATM cardduplication and card skimmers, as well as raising data privacy concerns. Threatsources expanded from not only the teller or cash courier to persons stockingcash canisters, performing ATM maintenance and maintaining computerprograms for when, why and how cash should be dispensed from a machine.The larger ATM networks grew, the greater the impact of an ATM networkinterruption on customers and on the bank’s finances and reputation. Managingbusiness resiliency risk of ATM networks became a significant concern. Lastly,existing laws such as the Americans With Disabilities Act (ADA) and ExpeditedFunds Availability Act (EFA) were adapted by banking regulators to apply toATM operations. This required banks to modify physical ATMs with braille andaudio assistance and to manually examine ATM deposits to place holds andprovide required customer hold notifications.By 2012, there werealmost 900 millioncredit cards incirculation globally. The first universal credit card, which could be used at a variety ofestablishments, was introduced by Diners’ Club in 1950.5 By 2012, there werealmost 900 million credit cards in circulation globally.6 This rapid consumeradoption is an indisputable indication of consumers’ perception of the benefitof joining the “card economy.” Like other technology developments in banking,credit cards attracted more customers to the banks that offered them. But theyalso gave banks a more cost-effective means for delivering credit and paymentservices. Banks retained traditional credit risk but introduced new andchanging sources of risk primarily in the form of increased fraud and “modelrisk” associated with process automation.The Federal Reserve has estimated that “the value of fraud in total corenoncash payments in the United States, estimated using depository institutionsurvey data, rose from 6.10 billion in 2012 to 8.34 billion in 2015.”7DIGITAL RISK MANAGEMENT IN BANKING 4

Source: Changes in U.S. Payments Fraud from 2012 to 2016: Evidence from the Federal Reserve PaymentsStudy, Board of Governors of the Federal Reserve System, October 2018 raud-from-2012to-2016-20181016.pdfTo increase banks’ loan balances more quickly and cost-effectively, card-issuingbanks implemented increasingly complex computer models to automate decisionsregarding which consumers should be issued a credit card and how much theircredit card limit should be. “Model risk” became an operational risk concern ofbanking regulators because poorly designed credit card models could result inbanks taking on excessive future credit losses, and could introduce biases in theissuance of credit, inconsistent with the Equal Credit Opportunity Act (ECOA).Today, U.S. banking regulators pay close attention to not only model risk associatedwith credit issuance but also model risk associated with all kinds of models banksmay use to support or supplant human decision-making.8These are just a few examples of digital technology adopted by banks worldwide.The fact is that almost all banking activity today is supported by digital technology.Perhaps only for the purposes of handling physical cash do banking customers haveto visit a bank building. Every other product and service offered by banks can bedelivered and managed electronically. For many consumers today, money is solelydigital. These consumers embody the “cashless” society.Bank employees today (front-line, support and management) do their jobsinterfacing with bank systems directly through a terminal or via a distributednetwork of computers. Typically, bank employees interface with systemsvia computers on their desktop interconnected through an elaboratetelecommunication network, a part of which is invariably public-facingvia the internet.DIGITAL RISK MANAGEMENT IN BANKING 5

CHARACTERIZATION OF DIGITAL RISKDigital transformation tends to change the character of existing risk and oftenintroduces new, perhaps unexpected, risk. The following are the most commoncharacteristics of digital risk in banking.Dynamically Emerging Digital Risk—Digital risk arises whenever a bank introducesa new or changed product, service, business process, supporting activity or assetthat is digital or relies on digital technology, including those being provided to thebank by third parties. In addition, new and expanded rules and regulations are beingintroduced around the world that relate to digital technology. Frequently, rulesand regulations related to digital innovations do not exist at the inception of theinnovation and may not emerge until years or decades later. Rules and regulationsarise because of a perceived harm from the innovation itself or as a result of anunexpected outcome from the innovation.Digital transformationtends to changethe character ofexisting risk and oftenintroduces new, perhapsunexpected, risk.Greater Inherent Risk Impact—In the absence of process automation, transactionsare executed and decisions are made manually, typically in a sequential fashion.Errors and fraud occurring in manual processing tend to be discrete in nature.When transaction processing is automated and errors and fraud are introducedinto an automated process, the error and fraud may extend to every transactionin the process, thereby increasing the inherent risk impact should such erroror fraud occur.Increased Velocity of Risk—The onset of a material incident or loss can result muchmore quickly from an automated process than a manual process. Because digitalrisk can emerge so quickly, traditional (non-digital) means of controlling the risk areno longer effective.Broader, More Complex Threat Sources—Process automation requires both digitaltechnology assets and human resources with adequate technical understanding toimplement and operate the technology. Organizations with insufficient resources to acquire, implement and maintainthe technology internally often outsource the activity to third parties.While organizations can outsource the activity, they cannot altogetheroutsource the risk. Identity and access roles can be difficult to establish and maintain. Forbanks, unauthorized access often leads to fraud and financial loss, privacybreaches and compliance violations, financial reporting irregularities, andreputational damage. Technology that is publicly facing, such as via the internet, is inherentlyvulnerable to malicious attack. External cyber attacks have repeatedly beenfound difficult to detect and defend against.DIGITAL RISK MANAGEMENT IN BANKING 6

Processes that are interconnected through common technology hubs, suchas a common server or telecommunication router, are vulnerable to anattack against one technology spreading to attacks against interconnectedtechnologies. It is difficult for organizations to understand all their technologyinterconnections, discern the risk associated with the malicious exploitation ofinterconnections, and prioritize limited resources to manage the risk. It is thisinterconnectedness that also exposes banks to omnichannel fraud where banksmust consider and manage the possibility that malicious attackers’ ultimatefraud objectives are achieved by manipulating multiple communicationchannels—as when, for example, social engineering via telephone is coupledwith online banking. Access to the technology user interface and to the technology itself must berestricted to authorized individuals based upon their role and responsibilities.Such restrictions must be implemented to enforce sound governance andinternal control, prevent inadvertent errors, and ward off fraud and othermalicious activities.Higher-Impact Business Interruptions—The interconnectedness of bankingtechnologies makes business interruptions more impactful to banks. The lossof power to a central processor or telecommunications hub, destruction of acentralized pool of IT assets or introduction of ransomware has the potentialto bring the entire bank to a halt. The length of the interruption and cost to thebank and its customers is highly dependent upon how well the bank prepares forbusiness interruption s