Celent Model Bank Awards: Fraud, Risk Management, Process Automation and Flub-Free

Celent Model Bank Awards: Fraud, Risk Management, Process Automation and Flub-Free

It is my privilege to be part of the judging panel for Celent Model Bank Awards for 2017 for the following three categories:

  • Fraud Management and Cybersecurity – for the most creative and effective approach to fraud management or cybersecurity.
  • Risk Management – for the most impressive initiative to improve enterprise risk management.
  • Process Automation – for the most effective deployment of technology to automate business processes or decision-making.

A common theme across this year’s submissions for the above categories is the importance of agile technology, digital process automation, and consistent and focused practices across the organizations. A large number of the entries show that a streamlined and automated operational risk framework is critical to run a successful risk management program. Everything connects and has a consequence and unless banks can join the risk dots across their ecosystems, they will continue to spend at a very high rate with unsatisfactory and, at times, devastating results.

Improved data analysis and machine learning capabilities also featured prominently in the winning case studies. A central data platform, automated processes and improved insights have produced notable increases in efficiency, better control of costs, reduced resourcing requirements, reduced errors and false positives and have made it easier for the banks to adapt to their digital footprint, an expanding cyber threat landscape, and intense and complex regulatory obligations.

Hopefully, no flubs on the big day

Without exception, every submission is of a high-quality and we found it a daunting task to pick the most worthy award recipients. In the end, we are excited and confident about our selection of winners in the above categories, yet we are sorry that we could not recognize so many others that clearly also deserve recognition.

At the moment we are staying tight-lipped about who won the awards. We will be announcing all winners publicly on April 4 at our 2017 Innovation & Insight Day in Boston. In addition to presenting the award trophies to the winners, Celent analysts will be discussing broader trends we’ve seen across all nominations and will share our perspectives why we chose those particular initiatives as winners. Make sure you reserve your slot here while there are still spaces available!

 

How to Woo a Bank

How to Woo a Bank

When it comes time to choose a business partner, banks will favor those who help them execute their third party risk management (TPRM) responsibilities over those who begrudgingly comply.

The risk to a bank of doing business with a third party is real; the consequences of a risk event are not only disruptive, but often result in long-term reputational damage that can seriously affect the bottom lines of both the bank and the third party. We have all seen the media coverage. Parties who can make TPRM easier for banks by being proactive, transparent, and helpful will distinguish themselves in an ever more competitive environment.

They must show that they are compliant with the bank’s risk management requirements throughout the RFP, due diligence, onboarding processes, and lifecycle of the engagement.  OCC1 TPRM regulations alone require the bank to evaluate 16 risk dimensions when engaging with a third party. And, if the relationship involves a high or critical risk activity, the bank will carry out a much more thorough due diligence; often including an on-site visit to inspect operational risk procedures in the case of a risk event.

Furthermore, there is now an expectation that the third party will willingly take a portion of the liability of such an event.

Banks are introducing a new level of discipline and quantification around the measurement of third part risk. With this knowledge, banks can determine third party indemnification provisions and allocation of liabilities at the contract stage. You will be at a disadvantage if you do not have a way to measure and verify the scope of a potential risk event that involves your products or services.

Celent is also beginning to witness the inclusion of provisions within contracts that require a third party to reimburse the bank for out-of-pocket costs relating to data security breaches that occurred due to the third party's negligence. As banks continue to push back on third party risk liabilities, third parties need to ensure they have in place insurance policies that can fund indemnification obligations.

My recent two research reports discuss the changing and expanding landscape for TPRM and explain why banks, regulators and third parties need to commit to their significant other in the management and responsibility of risk.

European Payments: Breathing a Sigh of Relief (For Now)

European Payments: Breathing a Sigh of Relief (For Now)

In our recently published report on Top Trends in Retail Payments we quoted a European payments professional:

“If the publication of PSD2 gave the industry a headache, then the publication of draft RTS gave it a heart attack.”

Of course, he was talking about the draft regulatory technical standards (RTS) that the European Banking Authority (EBA) has been tasked to develop for how the industry should implement Payment Serivces Directive's (PSD2) requirements for strong customer authentication and secure communicationThe draft RTS published in a consultation paper last August was indeed rather draconian. One of the key proposals was "not to propose exemptions based on a transaction risk analysis performed by the PSP” and to keep “the authentication procedure […] fully in the sphere of competence of the ASPSP [Account Servicing Payment Service Providers, i.e. banks].” The draft RTS has united the industry to an extent rarely seen before – representatives from payments, cards, e-commerce, small merchants, digital technology, telecoms, travel and industries have expressed concerns that the EBA’s standards implemented in their current form would “make online shopping much more onerous than it is today and have a wider and chilling effect on the Digital Single Market.”

Thankfully, it appears that the EBA has been listening. The final standards have not yet been published, but yesterday, Andrea Enria, Chairperson of the EBA gave a speech at the Westminster Forum, and has given the clearest indication yet that the EBA is open to changing the RTS. Specifically, according to the speech, the RTS when published will:

  • Introduce two new exemptions, one based on "transaction risk analysis" and the other for payments at so-called "unattended terminals" for transport or parking fares. Transaction risk analysis exemption will be linked to maintaining predefined fraud levels and will be reviewed after 18 months.
  • Contain some changes to the existing exemptions, such as increasing from EUR 10 to EUR 30 the threshold for remote payment transactions. However, there will be no further exemptions for e.g. corporate payments.
  • Outlaw the current practice of third party access without identification (e.g. ‘screen scraping’) once the transition period under the PSD2 has elapsed and the RTS applies.
  • Maintain the obligation for the ASPSPs to offer at least one interface for AISPs and PISPs to access payment account information. A requirement has been added requiring banks to provide the same level of availability and performance as the interface offered to, and used by, their own customers, as well as to provide the same level of contingency measures in case of unplanned unavailability.
  • Remove references to ISO 27001 and other specific, technological characteristics, to ensure technology-neutrality and allow for future innovations.

It will be important to review the details when the final RTS is published, and of course, much work will still have to be done by the industry to ensure compliance. Yet, it seems that the payments professionals in Europe may breathe a sign of relief – the heart attack may have just been averted, at least for now.

Banking Third Party Risk Management Requirements are a Big and Expensive Ask

Banking Third Party Risk Management Requirements are a Big and Expensive Ask

Celent, through its work with Oliver Wyman, estimates the cost to US financial institutions of undertaking due diligence and assessment of new third party engagements to be ~ $750 million per year. Institutions are paying three times as much as their third party to complete on this exercise. The average cost to an institution to carry out due diligence and an assessment of a new critical third party engagement is $15,000 and takes the institution approximately 16 weeks to complete.

The top ten US banks average between 20,000 and 50,000 third party relationships. Of course, not all of these relationships are active or need extensive monitoring. But the slew of banking regulatory requirements for third party risk management is proving to be complex, all-consuming and expensive for both institutions and the third parties involved. In a nutshell, institutions are liable for risk events of their third and extended parties and ecosystems. The FDIC expresses best the sentiment of worldwide regulators:

“A bank’s use of third parties does not relinquish responsibility… but holds it to the same extent as if the activity were handled within the institution." www.fdic.gov

If an institution doesn’t tighten its third party risk management, it is significantly increasing the odds of a third party data breach or other risk event and will suffer the reputational and financial fallout.

In the first report of a two-part series, just published by Celent, “A Banker’s guide to Third Party Risk Management: Part One Strategic, Complex and Liable”, I show how institutions can take advantage of their established risk management practices such as the Three Lines of Defense governance model, and operational risk management processes to identify, monitor and manage the lifecycle of critical and high-risk third party engagements across functions and levels. It describes the components required for a best-practice program and shows examples of two strong operating risk models being used by the industry that incorporates third party risk management into the enterprisewide risk management program.

Unfortunately, there are few institutions that have successfully implemented strategic third party risk management programs. Most institutions fall between stage 1 and 2 of the four stages of Celent’s Third Party Risk Management Maturity Curve. But continuing to operate without a strategic third party risk management practice will leave your institution in the hands of cyber fate and the regulators.

Stop Throwing Money at Cybersecurity

Stop Throwing Money at Cybersecurity

cyber-operational-risk-150x1501 Most cyberattacks succeed because of weaknesses in people, processes, controls and operations. This is the definition of operational risk. Therefore, it makes sense to tackle cyber risk with the same tools you use to manage operational risk.

We continue to prove that the approach of the IT department managing cybersecurity is not working. Cyber risk is typically treated in parallel with other technology risks; the IT department is motivated to focus on securing the vulnerabilities of individual system components and proffers a micro view of security concerns.

My new Celent report on Treating Cyber Risk as an Operational Risk: Governance, Framework, Processes and Technologies”, discusses how financial institutions are advancing their cybersecurity practices by leveraging their existing operational risk frameworks to centralize, automate and streamline management, technologies, processes, and controls for a sounder and more resilient cybersecurity.

The report identifies and examines the steps required to achieve a risk-based approach to a sustainable and, ultimately, a measurable cyber risk management strategy:

1. Establish a long-term commitment to drive a top-down, risk-based approach to cybersecurity.

2. Recognize that the traditional approach of the IT department managing cybersecurity is limited and that most cyber risks are weaknesses in people, processes, controls, and operations.

3. If you have not already, consider deploying the NIST cybersecurity framework and tailor the framework to fit your individual cybersecurity requirements. The framework lets you take advantage of your current cybersecurity and operational risk language, processes and programs, industry standards and industry best practices. Both cyber and operational risk should be informed by and aligned with the institution’s enterprise-wide risk management framework.

4. Move your organization along the cybersecurity maturity curve by building dynamic risk models, based on shared industry data and assumptions, to measure and monitor cyber threats and pre-empt those attacks.

5. Stop throwing money at the problem. Educate decision-makers on why and how breaches happen. Do not purchase in siloes or under pressure, select the right expertise to identify the issues and carry out due diligence on products.

6. Use the NIST’s five functions to navigate and manage cybersecurity technology requirements and purchases.

7. Know what technology you want from your vendors; know what advice to seek from your consultants.

8. Acknowledge that cybersecurity is the responsibility of every employee and human behavior is the most basic line of defense. Institutions cannot hesitate in the goal to educate their employees, third parties and customers.

Key Takeaways from Sibos 2016

Key Takeaways from Sibos 2016

Having just returned from the whirlwind that is Sibos, I (along with many other industry observers) feel compelled to contribute my two cents on the top takeaways from the event, along with one observation on the mood. Nothing about Sibos can be exhaustive, but three key areas stood out: Cyber, PSD2, and Open Banking / APIs.

Cyber was the first topic mentioned in the opening plenary address. Its seriousness brought into stark relief by the $81mm Bangladeshi incident (something my cab driver in Boston asked about on the way to the airport!), Cyber was a focus throughout the conference. While it has long been an important issue, it has catapulted to the top of the agenda of every member of SWIFT’s ecosystem given the recognition that the system is only as secure as its weakest node.

PSD 2 is often thought of in a retail banking context, but its implications will carry over to the corporate side as well. There are two critical points: 1) Banks must make their customers’ data accessible to any qualified third party, and 2) Third parties can initiate payments. These changes will have profound second-, third-, and even fourth-order effects that can scarcely be imagined today. Banks are thinking through what they need to do to comply, as well as what their strategies should be once they’ve implemented the necessary (and not inconsequential) technology changes. For a primer on the current state of PSD2, see Gareth Lodge’s recent report on the subject.

Open Banking is enabled by APIs. While PSD2 is certainly accelerating the concept, it would have been gaining momentum even without the external pressure. There are simply too many activities that can be done better by third parties than by banks, and the banks have realized that they need frictionless ways to tap into these providers. APIs are a critical mechanism to enable this interaction. Technology, of course, is a necessary but not sufficient condition for success; banks must be culturally able to integrate with new partners quickly and flexibly.

On a final note, the mood was pragmatic. The atmosphere wasn’t one of consternation, panic, or confusion. Instead, the buzz was focused, purposeful, and businesslike. Bankers and their service providers are ready to roll up their sleeves and get the job done instead of wringing their hands about all of the possible ill-fated futures that could arise. We at Celent look forward to the progress to come in 2017. What are your thoughts?

Corporate Onboarding: Starting the Relationship Off on the Right Foot or Putting Your Foot In It?

Corporate Onboarding: Starting the Relationship Off on the Right Foot or Putting Your Foot In It?

Just for a moment, imagine that you are a corporate treasurer, forced to find a new lead transaction banking provider because one of your incumbents is either getting out of the business, prefers to work with companies that are smaller/bigger/borrow more money or has closed down its operations in several countries where you do business. You have gone through the effort of creating a complex RFP and sent it to 3 or more banks and after an exhaustive search and extensive contract negotiations, you have made your decision and it's time to start the onboarding process.  You are excited to move your banking activity to a new provider that has done such a masterful job of convincing you of their superior products and solutions, their investments in leading edge technology and their world-class customer service.  And then reality hits….the onboarding process kicks into high gear.  You understand that banks are facing increasing regulatory scrutiny in the areas of KYC and AML because even your current providers are looking for regular updates for compliance purposes.  But you hope that the process has been streamlined since the last time you established a new primary transaction banking relationship.  After filling out reams of paper documents, fielding multiple calls from different areas of the bank asking for the same information you have already provided, pinging your bank relationship manager for status updates on a weekly basis, and wondering out loud more than a few times…. "why did I choose this bank?"….the onboarding process is finally complete ((except for some of those more complicated host-to-host integration pieces) and it only took twelve weeks from start to finish.

As described in a recent Celent report titled Onboarding in Corporate Transaction Banking: Prioritizing Investments for Reducing Friction, transaction banking providers have lots of room for improvement when it comes to starting the relationship off on the right foot. Our thesis is that improving the onboarding process from a client-centric perspective should be one of the most important priorities for transaction banking. Whether establishing a new relationship or assisting a client in expanding an existing one, implementing transaction banking services in an efficient, timely, and transparent manner can be a key demonstration of a bank’s commitment to client-centric innovation.

Even with significant technology investments over the past decade by banks to improve components of the onboarding process, it is common to hear frustration on the part of corporate clients about its manual nature, the increase in the amount paperwork being requested by banks, the length of time it takes to be able to use the account or services, and the lack of visibility into the process. It's easy to blame the regulators but the bottom line is that most banks are investing in components of onboarding to check off the compliance box and in some cases, are actually adding friction to the onboarding experience for clients rather than removing it.

20160801-Onboarding Report slides_WORD-READY

But there is hope.  The current generation of KYC industry utilities, document management technology, business process management platforms, and digital channels presents an opportunity for banks to reduce friction in customer onboarding.  The fundamental question is with so many opportunities for improvement, how should banks prioritize?  Well, let's get back to our imaginary corporate treasurer.  How would she prioritize?  What would she say if we asked how the onboarding process could be improved so that instead of frustration at the start of the relationship, there is a sense of confidence that she's chosen the right bank?  Clients have experience working with several or many different transaction banks, and just as they compare the different digital channels and service quality of the banking solutions they use, they also can offer a view of how a bank’s onboarding capabilities stack up against its competitors. Corporate treasurers indicate that more self-service capability, shortened timeframes, better coordination across the bank, and enhanced visibility are all high priorities for clients.

We think that banks need to have two guiding principles for enhancing the onboarding process: 

  • enabling both internal and external visibility to eliminate the onboarding “black hole,” to reinforce accountability of all parties, and to allow for more effective collaboration
  • focusing on improvements with direct client impact, for example, reduced number of interactions, reduced requests for information already on file, digitization, consistency across geographies wherever possible, clear and concise documentation, and aggressive SLAs for onboarding

There are a few banks that get it:  they not only ask for client feedback about onboarding but they listen and adapt.  They make it a high priority because they recognize that the "digital journey" isn't just about retail banking anymore. If anything, the digital experience is even more critical for corporate clients who look to their transaction banking partners to enhance the efficiency of their treasury operations through digitization.  If you can't demonstrate your commitment to innovation by offering a client-centric digital experience during the onboarding process, then your are selling your investments in digital banking solutions short. And that's putting your foot in it for sure!

 

 

 

 

Faster Than A Speeding Payment: The Race To Real-Time Is Here

Faster Than A Speeding Payment: The Race To Real-Time Is Here

It’s been two years since my last reports on real-time payments, and much has happened, not least of which is the perception and understanding the industry has. As a result, the discussions in many countries that don’t have real-time payments infrastructure are now when they will adopt, rather than why would they adopt. Yet in that intervening period, it’s not just the pace of adoption that has accelerated, but that market and thinking around real-time itself has matured as well.

As a result, I’ve just written a new report titled Faster Than A Speeding Payment: The Race To Real-Time Is Here.

Central to the report is the fact that rather than just being “faster ACH”, it is increasing being seen (and should be seen!) as a fundamentally different payment type than anything that has gone before it. As a result, banks, whether they are about to implement their first system or whether an existing user, need to think about where real-time is heading, and to plan accordingly.

This thinking – and more – is set out in the report, and seeks to explore the following questions:

  1. What is the pace of real-time payment adoption?
  2. Why should our bank plan for real-time payments?
  3. What should a bank do regarding real-time payments?

The pace question is clearly indicated in one of the charts from the report:

table

From the 32 countries identified in the initial report (and the criteria we used, which is important!), in 2 years we’ve gone to 42 countries, cross-border systems, and countries who claimed they didn’t see the reason why they would adopt, at least one (the US) is currently reviewing more than 20 systems, all of which might co-exist.

The report goes in to much more detail, but there is a clear implication. Real-time is firmly here, and it’s increasingly being seen as the payment system of the future. Banks that who try to limit the scope of projects today then may be saving themselves money in the short -term, but they are likely to creating more work, more costly work, in the future. Given that most payment networks have a life span measured in decades, it’s a long time to be stuck with a compromise.

Ultimately, however, it’s about building a digital bank as well. Without doing so, banks will be providing the tools to their competitors, yet unable to use them themselves. Adding a real-time solution to a process that takes weeks, such as a bank loan, makes no difference in terms of the proposition. Fintechs are able to use a real-time payment as the enabling element of a digital experience because all of the solution set is real-time – an instant decision and payment of the loan sum is a game changer.

Digital payments without a digital bank would seem futile.

Passwords Suck – Bring on Biometrics!

Passwords Suck – Bring on Biometrics!

Now that I have your attention. Let me be clear: I hate passwords, particularly when they are increasingly required to be longer, more complex and frequently changed. Apparently, I am not alone in this sentiment.

At a conference in 2015, a small start-up, @Pay, a low-friction mobile giving platform, offered attendees a free t-shirt in return for seeing a brief demo. I must confess that I was more interested in the t-shirt than @Pay’s product demo. The line went out the door! Here is the t-shirt.

@Pay's Sought After T-shirtWorking from a home-office means t-shirts are staple part of my daily wardrobe. I have tons of them. None of them, however, engender such predictable responses from complete strangers than the one above. Responses range from a simple thumbs up or high-five, to an occasional, “You got that right!” Passwords do suck.  I have so many to manage, I use Trend Micro’s Password Manager to ease the pain.

That’s why I am excited to see more institutions migrate to biometric forms of authentication. Dan Latimore blogged about the rapid increase in the number of US financial institutions employing biometrics within their mobile apps here.

Banks shouldn’t stop there, however. In a June 21 New York Times article, Tom Shaw, vice president for enterprise financial crimes management at USAA was quoted as saying, “We believe the password is dying. We realized we have to get away from personal identification information because of the growing number of data breaches.”

I agree with Tom’s sentiment, but if passwords are dying, it appears to be a very slow and painful death. Here’s one example of why I say this. The chart below shows surveyed likelihood of technology usage in future branch designs as measured by Celent’s Branch Transformation Research Panel in late 2015. More than two-thirds of surveyed institutions thought the use of biometrics in future branch designs was “unlikely”.

Branch Tech Usage Liklihood

Authentication and identity management may always involve a trade-off between security and convenience, but the industry’s overreliance on personal identification information is failing on both counts.

  • At ATMs – it contributes to skimming fraud
  • In digital customer acquisition – it contributes to unacceptably high abandonment rates
  • In the mobile channel – it contributes to its slowing rate of utilization growth
  • In the branch – banks deny themselves the ability to delight customers with improved engagement options made available by skillful digital/physical integration

We’ll be looking into the topic of authentication and identity management in our next Digital Banking Research Panel survey in the coming weeks. If you’re a banker and would like to participate in this or future Digital Panels, please click here to fill out a short application

Security, fraud, and risk Model Bank profiles: Alfa Bank and USAA

Security, fraud, and risk Model Bank profiles: Alfa Bank and USAA

Banks have worked hard to manage the different risks across their institutions. It has been and will remain costly, time consuming and a top priority. Celent profiles two award-winning banks who have modelled excellence in their use of risk management technologies across their banks.

They demonstrated:

  1. Degree of innovation
  2. Degree of difficulty
  3. Measurable, quantitative business results achieved
(Left to right, Martin Pilecky, CIO Alfa-Bank; Gary McAlum, SVP Enterprise Security Group USAA; Joan McGowan, Senior Analyst Celent)

(Left to right, Martin Pilecky, CIO Alfa-Bank; Gary McAlum, SVP Enterprise Security Group USAA; Joan McGowan, Senior Analyst Celent)

ALFA-BANK: SETS THE STANDARDS FOR BASEL COMPLIANCE IN RUSSIA

Alfa-Bank built a centralized and robust credit risk platform to implement Basel II and III standards, simultaneously, under very tight local regulatory deadlines. The bank decided to centralize all corporate credit-risk information onto a single platform that connected to front office systems and processes. Using Misys FusionRisk, Alfa-Bank was able to implement a central default system with a risk rating and risk-weighted asset calculations engine. The initiative is seen as one of the most important initiatives in the bank’s history. The successful completion of the project has placed Alfa-Bank at the forefront for setting standards and best practice methodologies for capital management regulations for the Russian banking industry and Central Bank.

USAA: SECURITY SELFIE, NATIVE FINGERPRINT, AND VOICE SIGNATURE

The game-changer for USAA is to deliver flawless, contextual customer application services that are secured through less intrusive authentication options. The use of biometrics (fingerprint, facial and vocal) to access its mobile banking application positions USAA to be able to compete with Fintechs across the digital banking ecosystem and offer exceptional service to its military and family members.

USAA worked with Daon Inc. to provide biometric solutions paired with its “Quick Logon” dynamic security token technology, which is embedded in the USAA Mobile App for trusted mobile devices. Biometric and token validation focus on who the user is and who the verifiers are and it addresses increasing concerns around the high level of compromise of static user names, passwords, and predictable security questions from sophisticated phishing attacks, external data breaches, and off-the-shelf credential-stealing malware.

For more information on these initiatives, please see the case study abstract on our website.