- Customer Experience
- Operations and Risk
- Legacy Transformation / IT Platform Innovations
- Emerging Innovation
Celent, through its work with Oliver Wyman, estimates the cost to US financial institutions of undertaking due diligence and assessment of new third party engagements to be ~ $750 million per year. Institutions are paying three times as much as their third party to complete on this exercise. The average cost to an institution to carry out due diligence and an assessment of a new critical third party engagement is $15,000 and takes the institution approximately 16 weeks to complete.
The top ten US banks average between 20,000 and 50,000 third party relationships. Of course, not all of these relationships are active or need extensive monitoring. But the slew of banking regulatory requirements for third party risk management is proving to be complex, all-consuming and expensive for both institutions and the third parties involved. In a nutshell, institutions are liable for risk events of their third and extended parties and ecosystems. The FDIC expresses best the sentiment of worldwide regulators:
“A bank’s use of third parties does not relinquish responsibility… but holds it to the same extent as if the activity were handled within the institution." www.fdic.gov
If an institution doesn’t tighten its third party risk management, it is significantly increasing the odds of a third party data breach or other risk event and will suffer the reputational and financial fallout.
In the first report of a two-part series, just published by Celent, “A Banker’s guide to Third Party Risk Management: Part One Strategic, Complex and Liable”, I show how institutions can take advantage of their established risk management practices such as the Three Lines of Defense governance model, and operational risk management processes to identify, monitor and manage the lifecycle of critical and high-risk third party engagements across functions and levels. It describes the components required for a best-practice program and shows examples of two strong operating risk models being used by the industry that incorporates third party risk management into the enterprisewide risk management program.
Unfortunately, there are few institutions that have successfully implemented strategic third party risk management programs. Most institutions fall between stage 1 and 2 of the four stages of Celent’s Third Party Risk Management Maturity Curve. But continuing to operate without a strategic third party risk management practice will leave your institution in the hands of cyber fate and the regulators.
It’s remarkable that in just five years Money 20/20 has gone from a standing start to having about 11,000 [sic – you read that right] registrants. We go to many conferences throughout the course of the year, and the growth in Money 20/20 is unprecedented in the financial services space (as the chart shows). We’ve used data from sponsors and from blogs to assemble the numbers below; there’s no doubt that Money 20/20 is now the 800 pound gorilla in the space.
Money 20/20’s growth is due in large part, we believe, to the ecumenical approach that the organizers have taken toward the payments ecosystem. Rather than focusing on just banks and vendors, the show includes processors, merchants, venture capitalists, startups, and other various and sundry hangers-on (including analysts). The organizers’ excellent marketing has played a role, to be sure, as has their interesting mix of commercialism and insightful content from the various participants on stage in both plenary and track sessions. But in many ways Money 20/20 has hit a particular point in time just right, recognizing that the payments ecosystem is bigger than just banks, and needs a forum where every participant could get together. The tragedy: this event could have belonged to any of the incumbent organizers of conferences, but they didn’t seize the initiative.
A final thought on substance: while the need for cooperation and collaboration across the ecosystem was universally acknowledged, as was the precept that incumbents and fintechs must partner (hallelujah!), it was interesting that one of the most ambitious payment collaborations of all time, MCX, was nowhere to be seen. It, at least in 2015, was a bridge too far.
This is a copy from my guest post for Finnovista that I wanted to share with you here as well.
A few years ago when we started collaborating in creating the Latin American Fintech community there were no Fintech associations, no Fintech conferences and for sure there was no mapping of Fintech start-ups at all. It has been quite a journey for all of us involved. Kuddos to the Finnovista team for being a key element and catalyser for these achievements!
What exciting moment to be in financial services! Many things going on. Banks are being unbundled; and its happening everywhere. Want to take a look? Check what’s going on in the US, Europe and in more near places across Latin America like Mexico, Brazil, Colombia, Argentina and Chile.
It’s making no distinctions, affecting personal and business banking equally. Consequently, the nature of competition is changing; and pressure is not expected to come from other financial institutions. In a recent Celent survey, to SME banking representatives from Latin American banks, most believe that fundamental changes that are expected to occur in the banking industry won’t come from other financial institutions; instead they are looking mainly to new entrants and adjacent industries.
In last year’s survey to retail banks in Latin America, Stanford University found that 47% of the banks see Fintechs as a threat. The same survey indicates that only 28% of the banks meet the needs of their digital customers. Not a position where you want to be.
Customer expectations, pressure on revenue and cost, and increased regulation don’t make the life easier for banks either. Fintech start-ups may advantage banks on responding to customer expectations and being leaner has Fintechs better positioned to pressure on costs; but they have to play under the same regulation and at some point earn revenues in excess of cost (a.k.a. be profitable).
FCA, the U.K. financial regulator, has opened its sandbox for applications from financial firms and tech companies that support financial services. Successful applicants can test new ideas for three to six months with real consumers under loosened regulations. This is something we haven’t see yet in Latin America, though regulators are increasingly open to the benefits of Fintech and innovation, particularly if it is related to financial inclusion: we have seen the support of regulators to mobile wallets across the region in the last couple of years. Mexico appointed this year an officer for Fintech development in what I see as the leading case in the region to facilitate the adoption of services provided by Fintechs under the umbrella – and supervision – of the regulator. Most lately, the Argentinean regulator has introduced changes enabling digital onboarding, and in payments facilitating competition and adoption; though no sandbox yet, but maybe a digital/branchless bank in the way? Will it be a disrupting incumbent or a new player? By themselves or in cooperation with Fintechs?
Indeed, there has been a lot of debate regarding the nature of the (best) relationship between banks and Fintechs; be it competition, cooperation or coopetition, banks need to play a different game. The ecosystem has changed incorporating a myriad of players and increased complexity. Banks must reconstruct their business models around three areas, recognizing that they are part of a broader and new financial ecosystem:
- Channels: How the bank serves customers
- Architecture: How the bank organizes to deliver value
- Innovation: How the bank delivers new ideas, products and services around both channels and architecture
Banks can innovate on their own, or partner with Fintechs or other 3rd parties; at the end of the day banks need to select and execute on the best innovation models. There is no single answer that fits all; each institution will have to discover the best combination of innovation models aligned with risk appetite, organizational culture and the target customers you want to reach.
Banks are ultimately responsible for all of the services that they provide, even when they contract with third parties to help them deliver those services. More and smaller banks are partnering with outside providers, and there are more and smaller third parties being formed to meet more specific bank needs. While there’s even a section in the U.S. Federal Financial Institutions Examination Council’s (“FFIEC”) IT Examination HandBook detailing what sorts of due diligence a bank should conduct on its third party service provider, there’s still room for interpretation when deciding how more inexperienced banks should deal with those responsibilities.
The answer isn’t straightforward. All banks are challenged when contemplating a relationship with a small fintech because of the first three items on the FFIEC checklist: Existence and corporate history; Qualifications, backgrounds, and reputations of company principals…; and Other companies using similar services from the provider…. Small, new companies will find it more difficult than established firms to pass muster; many banks simply won’t want to take the risk of dealing with them. And many smaller banks simply won’t have the resources or expertise to properly vet these new entrants.
At the same time, many larger service providers to banks (including software vendors, outsourcing providers, and consulting shops) are searching for ways to bring innovation to their banking clients.
In recent conversations with clients I’ve been struck by an increasingly popular solution: a larger, more established firm bringing a fledgling company under its wing. The incumbent does the due diligence, offers advice, and, when satisfied, vouches for the FinTech. It may license the software, or engage the Fintech as a subcontractor; in any case, it’s assuming responsibility for the work of the smaller and newer firm.
Executed properly, it’s a three way win: the bank accesses a new and innovative solution; the incumbent service provider is able to add new value to the relationship; and the fintech is able to begin a relationship from which it would otherwise have been shut out. All participants in the banking ecosystem should consider whether this solution can help their particular situation.
In March of this year the Federal Reserve released the newest iteration of its consumer survey report on mobile banking, Consumers and Mobile Financial Services 2016. One fact that sticks out is how slow mobile banking adoption has been over the last few years. While 53% of smartphone users have used mobile banking in the last 12 months (nowhere near “active”), that number has only grown 3 points since 2012, a CAGR of just 1.9%! This is hardly the unrelentingly rapid pace of change espoused by many who thought evolving customer behavior would overwhelm traditional banks’ ability to adapt.
Obviously there’s a disconnect between the hype surrounding mobile banking and the reality of how consumers are actually interacting with financial institutions. But why then have forecasted rates of adoption not been realized? There are a few possibilities.
- Mobile banking is reaching peak adoption: In the consumer survey by the Fed, 86% of respondents who didn’t use mobile banking said that their banking needs were being met without it. 73% said they saw no reason to use it. While the idea that mobile banking adoption would peak at around 50% doesn’t intuitively make sense for those in the industry, it’s obvious that many consumers are perfectly fine interacting with their bank solely through online banking, ATMs, or branches; they may never become mobile users.
- Mobile banking apps need improvement: It’s likely that many mobile banking apps still aren’t mature enough to ease some of the UX friction and convince a large portion of consumers that they provide sufficient value. In the same Fed survey, 39% said the mobile screen is too small to bank, while 20% said apps were too difficult to use. With three-fourths of non-using respondents (mentioned in the previous bullet) finding no reason to use mobile banking, apps may need to improve functionality and usability to attract end users. The correlation between features offered and mobile consumer adoption is also well established. Mobile banking apps may have reached an adoption peak relative to their maturity, and institutions will likely see adoption grow as apps advance and as demographics increase usage.
- Channel use is a lot stickier than perceived: Consumers are still consistently using the branch. The two figures below illustrate what’s happening. The first graph comes from the Federal Reserve report on mobile banking usage, while the second is taken from the Celent branch channel panel survey taken of more than 30 different midsize to large banks. On average, 84% of consumers surveyed by the Fed report using a branch, while respondents of Celent’s survey see 83% of DDA/savings accounts and 79% of non-mortgage lending products originated from the branch channel. Mobile only has a 2% share of total sales. While many institutions find it difficult to attribute sales across multiple channels and have a well-known historical bias towards branch banking, these stats don’t support the notion that consumers are migrating away from the branch and towards mobile banking. We’re aware these numbers don’t take into account transaction migration, and likely the sales mix will shift as more banks launch mobile origination solutions, but regardless, it’s obvious the branch is still the most used channel by far.
Mobile banking isn’t taking over the financial lives of consumers as much as institutions and many analysts predicted it would, and at least for now is settling into a position alongside other interaction points. Consumers are clearly opting to use channels interchangeably, and it’s not obvious that mobile will have any predominance in the next few years. As a result, banks need to move away from arbitrary goals surrounding channel migration and instead let the consumer decide what works best for them. This certainly doesn’t imply that institutions should stop developing mobile—there’s clearly lots of areas for improvement—but it’s important to not get swept up in the hype surrounding emerging channels.
Remember, more than 60% of FI customers aren’t enrolled in mobile banking, and it accounts for only 2% of sales. Focusing so intently on capturing such a larger share of mobile-first or mobile-only consumers risks misaligning bank resources towards projects that don’t offer the maximum value. Banks shouldn’t be rushing into things—they’ve got time to do this right and in an integrated way.
Financial institutions need a mobile strategy for younger consumers who will most certainly prefer mobile, but older consumers aren’t going anywhere anytime soon. Mobile, at least for now, isn’t the end-state. Mobile-only banks aren’t going to take over the world anytime soon and institutions should be considering the broader proposition of digital in the organization. This means a solid digital strategy across all channels, and a focus on driving the experience, not pure adoption.
What did Britain say to its trade partners?
See EU later.
It’s been a funny week or two to say the least, so it seemed apposite to start with a joke (and we’re not talking about the England vs Iceland result! – the Icelandic commentator is worth a 30sec listen.)
The UK woke up to find that it was leaving Europe. Given the legendary British reserve, stiff upper lip, etc., it is quite incredible just how divided the country has become, and how everyone has an opinion. As a result, there has been a lot said before, during and after the campaign that needs to be sifted very carefully. This is a genuine attempt at a factual look at quite what this means as many of the facts are very definitely not facts.
What's actually going to happen? Frankly, the short answer is nobody actually knows. No country has ever left before. Greenland did but is both smaller and was leaving for other reasons. Nor did they invoke Article 50 (more of which in a second) which has never been used. Whilst there are some legal guidelines and processes, given that the European Union is an economic union governed by politicians, it’s fair to say that the process will be very political in nature. Particularly as Article 50 is not very precise.
The first step is for the UK to activate Article 50 which effectively formally starts the process. The UK has two years from informing the European Parliament that it intends to leave and actually signing article 50. Given other European elections, and despite some public calls from Europe to get on with it, some believe that it is likely to be later rather than sooner.
Until Article 50 is signed, the UK is still in Europe, and everything continues as they do today. What is less clear is when Article 50 is signed, what happens next, and how long the process will take. UK Government analyst suggests 5 years, yet others say at least a decade.
Nor is it yet clear what the UK will choose to negotiate on. For example, it may choose, voluntarily to adopt regulation such as PSD2. We (or, to be clear, Gareth) believe that the UK will push ahead with the PSD2, as many of the rules are either in place in the UK already, or reflect the way the Government is thinking e.g. the Open Data Initiative arguably is far wider reaching that the Access to Accounts element of the PSD2.
It’s not clear quite what is or isn’t the European Union necessarily. For example, passporting, the rule that allows financial services firms to be licenced in one country and operate in another, is actually (according to the Bank of England website at least – other reputable sites even disagree on this!), an European Economic Area (EEA) initiative, and even countries outside of the EEA, such as Switzerland, have negotiated deals. This is particularly key for card acquirers, many of whom use their UK licence to negate the need for local ones across Europe.
So, as they saying goes, the devil will be in the detail. And that’s going to take time to unravel, and to negotiate even on the things that need negotiating.
Over the coming months, banks will need to scenario plan on multiple dimensions. They will need to identify key regulations that impact their business, how that might be regulated, and how long it would take the bank to respond. Yet many, if not most banks, will have done some of this risk profiling before the vote took place.
Until there is clarity, the reality is that it’s the political fall-out is going to have the most impact in the short-term, itself creating a degree of additional economic turmoil.
Large FIs spent $25M rolling out failed risk management frameworks during the 2000’s. So why try again?
- Information security
- Data governance and classification
- Access controls and identity management
- Business continuity and disaster recovery planning and resources
- Capacity and performance planning
- Systems operations and availability concerns
- Systems and network security
- Systems and application development and quality assurance
- Physical security and environmental controls
- Customer data privacy
- Vendor and third-party service provider management
- Incident response, including by setting clearly defined roles and decision making authority
This week I’m in Singapore, which provides a beautiful backdrop for Sibos 2015, the annual conference that brings together thousands of business leaders, decision makers and topic experts from a range of financial institutions, market infrastructures, multinational corporations and technology partners.
This year’s conference theme is connect, debate and collaborate and takes place at a time of increasing headwinds from a slowing global economy, higher compliance costs, increasingly global corporates, and competition from both banks and nonbanks alike. I spent the past few months taking a deep dive into corporate banking performance over the past 10 years–a period of both tremendous growth and unprecedented upheaval. As expected, corporate banking operating income and customer deposit balances have experienced healthy growth rates over the past 10 years. But surprisingly, despite increases in customer deposits, corporate banking income was largely stagnant over the past few years.
Corporate banking plays a dominant role for the largest global banks. In 2014, corporate banking was responsible for 33% of overall operating income and 38% of customer deposits across the 20 banks included in this analysis.
As outlined in the new Celent report, Corporate Banking: Driving Growth in the Face of Increasing Headwinds, this critical banking sector is shaped by four external forces: economic conditions, the regulatory environment, business demographics, and financial technology. These same factors are slowing corporate banking growth and creating an environment in which banks are overhauling client offerings in the face of regulatory pressure, re-evaluating geographic footprints in response to shifting trade flows, and investing in technologies to ensure a consistent, integrated customer experience.
Much of the discussion at Sibos is on exploring transformation in the face of disruption. As they look to an unsettled future, corporate banks that are flexible, adaptable, and creative will be the ones that succeed. Changing time-tested ways of doing business is painful, but critical for future success.