July 31, 2018
Over the decades, the financial services industry has undergone significant transformation due to internal and external factors, including business model transformation, adoption of advanced technologies, changing regulatory environments, etc. Modern banking sector is a highly complex ecosystem, where stakeholders of different backgrounds — internet, tech companies, startups — play an increasingly influential role.
In an increasingly complex environment of the financial services industry, new complexities arise, requiring an adjustment in risk management systems and procedures. For financial institutions, expanding the array of risks that come with new types of players, new technologies, ever-growing complexities of national and international regulations, as well as changing consumer behavior, require significant resource investments to address financial and other risks naturally occurring as a result of those changes. More than ever, chief risk and compliance officers play a critical role in monitoring and managing these risks to ensure a safe transformation of banking, and ensure continuity of their businesses.
In its simplest sense, risk could be defined as the uncertainty of an event to occur in the future. In the banking context, it’s the exposure to the uncertainty of an outcome, where exposure could be defined as the position/stake a bank takes in the market.
If history was any indication, banks have borne billions in losses due to imprudent risk-taking. It is hence vital to understand the different types of risks faced by every bank in 2018 and beyond.
Banking risks can be broadly classified under 11 categories:
Open Banking Risk
Business risk is the risk arising from a bank’s business strategy in the long term. When a bank fails to adapt to the changing environment as quickly as their competitors, it faces the risk of losing market share, getting acquired, or shutting shop.
Technology is changing the banking landscape at an incredibly rapid pace. The millennial generation would need a drastic change and development in banking interfaces, which would primarily be led by four clicks on their mobile phones as opposed to long queues in the bank branches.
Banks need to rethink the outdated framework of the core banking systems, rethink the design of their end to end tech stack and build upon efficient and quicker bank end systems to turn around and meet the demand of the largely impatient digital consumer.
We already see progressive banks like BBVA, DBS, make strides in technological innovation to meet changing consumer demands — whether through strategic partnerships, acquisitions, or in-house developments. Moreover, the non-financial tech players like Google, Amazon, Alibaba, Tencent are either aggressively acquiring or investing in the in-house development of new age technologies to offer certain financial services to their vast user bases.
In February this year, U.S. Bancorp agreed to pay $613 million in penalties to state and federal authorities for violations of the Bank Secrecy Act and a faulty AML program. This was a result of the banks’ failure to adopt and implement an effective compliance program with adequate internal controls, testing, and training.
Source: Cost of Bank Misconduct, MEDICI Research
According to the Bank of International Settlements(BIS), in the banking context, compliance risk is defined as the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a bank may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organization standards, and codes of conduct applicable to its banking activities.
It is imperative for banks to establish an infrastructure to organize and analyze data and efficiently manage legal documentation. The senior management of a bank plays the crucial role in formulating, communicating and managing compliance policies across all business units of the bank to minimize compliance risk.
In the recent years, banks have begun to implement tech solutions(RegTech) across various cases - data management, digital identity, e-KYC/AML/CFT, fraud monitoring and control, governance, internal integrity, regulatory reporting, risk management, etc. Startups like Trulioo, Signzy, Onfido have been working with banks to enable digital identities and provide seamless customer onboarding by using effective tools that collect and assess large volumes of data and perform related tasks.
Credit risk is the one that most would be familiar with as economies continue to recover from the more recent occurrence in the history of financial services: the subprime crisis. Both global and national banks suffered heavy losses due to incorrect evaluation and monitoring of potential default rates on mortgage payments by subprime borrowers. This fiasco resulted in billions of dollars in damages and millions to be jobless overnight.
The Basel Committee on Banking Supervision defines credit risk as the potential that a bank borrower, or counterparty, will fail to meet its payment obligations regarding the terms agreed with the bank. It includes both uncertainty involved in repayment of the bank’s dues, and repayment of dues on time.
It could occur because of the following reasons:
Inadequate income of borrowers
Inadequate underwriting frameworks
Business failure of the borrowers
The unwillingness of the borrowers to repay
In May 2018, two of Canada’s largest banks, Bank of Montreal, and the Canadian Imperial Bank of Commerce’s Simplii Financial confirmed hackers stole the personal and financial data of more than 90,000 customers. While the banks took online security measures after the hackers contacted them, it was surprising to see that these processes were not put in place before.
Cybersecurity risk is the most prevalent IT risk in the financial services industry. It refers to the risk undertaken by a financial institution to keep electronic information private and safe from damage, misuse or theft.
Cybersecurity risk is as much of a people risk as it is technology risk. The risk arises from a range of external and internal factors at banks such as:
Lack of user privilege segregation
Missing transaction business controls
Poor password policies;
Inadequate logical access controls
Shortcomings in personnel vetting
The key to mitigating the cybersecurity risk is to ensure that the controls are applied across all business units and divisions to ensure that no permissions to access are granted unintentionally/without prior knowledge.
Northern Rock, a small bank in Northern Ireland, had a small depositors’ base and hence financed a significant portion of its loans by securitization. In 2007–08, during the subprime crisis, the bank was unable to sell the loans to other banks that it had originated in the form of new loans resulting in investors withdrawing their money from the bank. This resulted in a liquidity crunch, which led to the bailout by the government and an eventual government takeover. This is a classic example of how imprudent management of liquidity risk can ruin a bank.
Liquidity management can be defined as the risk of a bank not being able to finance its day to day operations. Failure to manage this risk could lead to severe consequences for the bank’s reputation as well as the bond pricing and ratings of the bank in the money market.
According to The Basel Committee on Banking Supervision, market risk can be defined as the risk of losses in on- or off-balance sheet positions that arise from movement in market prices.\ The four components of market risk are:
Interest risk: potential losses due to a change in interest rates. Requires Banking Asset/Liability management.
Equity risk: potential losses due to change in stock prices as banks accept equity against disbursing loans.
Commodity risk: potential losses due to change in commodity (agricultural, industrial, energy) prices. Massive fluctuations occur in these prices due to continuous variations in demand and supply. Banks may hold them as part of their investments, and hence face losses.
Foreign Exchange risk: potential loss due to change in the value of the bank’s assets or liabilities resulting from exchange rate fluctuations as banks transact with their customers/other stakeholders in multiple currencies.
The probability for a bank to take on unprecedented levels of risk without evaluating the economic soundness of the decision of risk-taking for all parties involved can be regarded as a moral hazard. The decision is often based on the fact that a third party/another institution will underwrite the risk.
Moral hazard occurs when the bank decides the magnitude of the risk to be undertaken with the knowledge that a counterparty bears the cost of the risk taken.
Once again, the subprime crisis proves to be a classic example of this. Banks risked depositors’ money to facilitate transactions of very risky instruments, knowing they would not face the consequences directly. Top management of all banks can be prone to moral hazard.
An open banking ecosystem functions as a single platform for a number participants like regulators and government agencies, data providers, third-party providers, customers, to engage in an open infrastructure with an end motive to enhance the customer experience.
While this will push banks to aim at being fully digital, and make customer data more accessible for the ecosystem to build superior products on, it could also create an environment that would enable more fraud.
Aggregated customer data such as transactions maintained in the third-party provider’s(FinTech startup’s) infrastructure and servers, can cause significant risk to the bank’s cybersecurity. Banks need to move quick in complying with PSD2 and GDPR directives laid down by independent government agencies, and the financial regulatory bodies to avoid exposing themselves to a myriad of systemic risks which could lead to financial as well as reputational damages.
Barings, one of the oldest British Banks in 1995, collapsed due to mismanagement of operational risk. One of its traders successfully hid his trading losses for more than two years due to inefficient and inadequate internal controls. He authorized his own trades without any approvals. The supervisors only noticed once the losses became huge and couldn’t be hidden any longer. It was, however, too late.
The Basel Committee on Banking Supervision defines operational risk as the risk of loss resulting from inadequate or failed internal processes, people, and systems or external events.
All banks(full service/others) face operational risks in their day to day BAUs across all their departments including treasury, credit, investment, information technology.
There are three main causes of this risk:
Human Intervention & Error
Failure of the IT/internal software & systems
Failure of Internal Processes to transmit data & information accurately
Punjab National Bank, the second largest public sector bank in India, was defrauded for more than ~$1.647 billion by the largest diamond and jewelry businesses in the country, making it the largest fraud to be detected.
The fraud, incidentally, is 49X the net profit posted by PNB for the quarter ending December 31, 2017, and more than twice the amount that PNB got under bank recapitalization plan. This scam has caused immense mistrust in the bank’s internal controls and checks causing massive damage not only to its market capitalization but more importantly its reputation in the country.
Reputational risk implies the public’s loss of confidence in a bank due to a negative perception or image that could be created with/without any evidence of wrongdoing by the bank. Reputational value is often measured in terms of brand value. Advertisements play a significant role in forming & maintaining the public perception, which is the key reason for banks spend millions in content marketing dollars.
Reputational risk could stem from:
The inability of the bank to honor government/regulatory commitments
Nonobservance of the code of conduct under corporate governance
Mismanagement/Manipulation of customer records
Ineffective customer service/after sales services
This risk includes a possibility of bringing down the entire financial system to a standstill, what was possibly seen during the dot-com bubble in 1995, or the housing market crash of 2008. This is caused due to a domino effect where the failure of one bank could ripple down the failure of its counterparties/other stakeholders, which could, in turn, threaten the entire financial services industry.
The Volatility Index(or VIX) is a good measure of systemic risk. Systemic risk, in itself, would not lead to direct losses. However, in a scenario where VIX is at high levels, there is a high probability of market risks(and other risks) to reach very high levels which would eventually lead to losses.
Banks can exercise a large degree of control over certain risks by enabling and investing in efficient internal and external controls, systems and processes. They can also manage some types of risk by ensuring meticulous, tech-driven audits and compliance. Some risks such as systemic risk, which the banks have little or no control over, can only be mitigated if banks have a strong capital base, to ensure a sound infrastructure.