Banking Third Party Risk Management Requirements are a Big and Expensive Ask

Celent, through its work with Oliver Wyman, estimates the cost to US financial institutions of undertaking due diligence and assessment of new third party engagements to be ~ $750 million per year. Institutions are paying three times as much as their third party to complete on this exercise. The average cost to an institution to carry out due diligence and an assessment of a new critical third party engagement is $15,000 and takes the institution approximately 16 weeks to complete.

The top ten US banks average between 20,000 and 50,000 third party relationships. Of course, not all of these relationships are active or need extensive monitoring. But the slew of banking regulatory requirements for third party risk management is proving to be complex, all-consuming and expensive for both institutions and the third parties involved. In a nutshell, institutions are liable for risk events of their third and extended parties and ecosystems. The FDIC expresses best the sentiment of worldwide regulators:

“A bank’s use of third parties does not relinquish responsibility… but holds it to the same extent as if the activity were handled within the institution." www.fdic.gov

If an institution doesn’t tighten its third party risk management, it is significantly increasing the odds of a third party data breach or other risk event and will suffer the reputational and financial fallout.

In the first report of a two-part series, just published by Celent, “A Banker’s guide to Third Party Risk Management: Part One Strategic, Complex and Liable”, I show how institutions can take advantage of their established risk management practices such as the Three Lines of Defense governance model, and operational risk management processes to identify, monitor and manage the lifecycle of critical and high-risk third party engagements across functions and levels. It describes the components required for a best-practice program and shows examples of two strong operating risk models being used by the industry that incorporates third party risk management into the enterprisewide risk management program.

Unfortunately, there are few institutions that have successfully implemented strategic third party risk management programs. Most institutions fall between stage 1 and 2 of the four stages of Celent’s Third Party Risk Management Maturity Curve. But continuing to operate without a strategic third party risk management practice will leave your institution in the hands of cyber fate and the regulators.

Stop Throwing Money at Cybersecurity

cyber-operational-risk-150x1501 Most cyberattacks succeed because of weaknesses in people, processes, controls and operations. This is the definition of operational risk. Therefore, it makes sense to tackle cyber risk with the same tools you use to manage operational risk.

We continue to prove that the approach of the IT department managing cybersecurity is not working. Cyber risk is typically treated in parallel with other technology risks; the IT department is motivated to focus on securing the vulnerabilities of individual system components and proffers a micro view of security concerns.

My new Celent report on Treating Cyber Risk as an Operational Risk: Governance, Framework, Processes and Technologies”, discusses how financial institutions are advancing their cybersecurity practices by leveraging their existing operational risk frameworks to centralize, automate and streamline management, technologies, processes, and controls for a sounder and more resilient cybersecurity.

The report identifies and examines the steps required to achieve a risk-based approach to a sustainable and, ultimately, a measurable cyber risk management strategy:

1. Establish a long-term commitment to drive a top-down, risk-based approach to cybersecurity.

2. Recognize that the traditional approach of the IT department managing cybersecurity is limited and that most cyber risks are weaknesses in people, processes, controls, and operations.

3. If you have not already, consider deploying the NIST cybersecurity framework and tailor the framework to fit your individual cybersecurity requirements. The framework lets you take advantage of your current cybersecurity and operational risk language, processes and programs, industry standards and industry best practices. Both cyber and operational risk should be informed by and aligned with the institution’s enterprise-wide risk management framework.

4. Move your organization along the cybersecurity maturity curve by building dynamic risk models, based on shared industry data and assumptions, to measure and monitor cyber threats and pre-empt those attacks.

5. Stop throwing money at the problem. Educate decision-makers on why and how breaches happen. Do not purchase in siloes or under pressure, select the right expertise to identify the issues and carry out due diligence on products.

6. Use the NIST’s five functions to navigate and manage cybersecurity technology requirements and purchases.

7. Know what technology you want from your vendors; know what advice to seek from your consultants.

8. Acknowledge that cybersecurity is the responsibility of every employee and human behavior is the most basic line of defense. Institutions cannot hesitate in the goal to educate their employees, third parties and customers.

Key Takeaways from Sibos 2016

Having just returned from the whirlwind that is Sibos, I (along with many other industry observers) feel compelled to contribute my two cents on the top takeaways from the event, along with one observation on the mood. Nothing about Sibos can be exhaustive, but three key areas stood out: Cyber, PSD2, and Open Banking / APIs.

Cyber was the first topic mentioned in the opening plenary address. Its seriousness brought into stark relief by the $81mm Bangladeshi incident (something my cab driver in Boston asked about on the way to the airport!), Cyber was a focus throughout the conference. While it has long been an important issue, it has catapulted to the top of the agenda of every member of SWIFT’s ecosystem given the recognition that the system is only as secure as its weakest node.

PSD 2 is often thought of in a retail banking context, but its implications will carry over to the corporate side as well. There are two critical points: 1) Banks must make their customers’ data accessible to any qualified third party, and 2) Third parties can initiate payments. These changes will have profound second-, third-, and even fourth-order effects that can scarcely be imagined today. Banks are thinking through what they need to do to comply, as well as what their strategies should be once they’ve implemented the necessary (and not inconsequential) technology changes. For a primer on the current state of PSD2, see Gareth Lodge’s recent report on the subject.

Open Banking is enabled by APIs. While PSD2 is certainly accelerating the concept, it would have been gaining momentum even without the external pressure. There are simply too many activities that can be done better by third parties than by banks, and the banks have realized that they need frictionless ways to tap into these providers. APIs are a critical mechanism to enable this interaction. Technology, of course, is a necessary but not sufficient condition for success; banks must be culturally able to integrate with new partners quickly and flexibly.

On a final note, the mood was pragmatic. The atmosphere wasn’t one of consternation, panic, or confusion. Instead, the buzz was focused, purposeful, and businesslike. Bankers and their service providers are ready to roll up their sleeves and get the job done instead of wringing their hands about all of the possible ill-fated futures that could arise. We at Celent look forward to the progress to come in 2017. What are your thoughts?

Corporate Onboarding: Starting the Relationship Off on the Right Foot or Putting Your Foot In It?

Just for a moment, imagine that you are a corporate treasurer, forced to find a new lead transaction banking provider because one of your incumbents is either getting out of the business, prefers to work with companies that are smaller/bigger/borrow more money or has closed down its operations in several countries where you do business. You have gone through the effort of creating a complex RFP and sent it to 3 or more banks and after an exhaustive search and extensive contract negotiations, you have made your decision and it's time to start the onboarding process.  You are excited to move your banking activity to a new provider that has done such a masterful job of convincing you of their superior products and solutions, their investments in leading edge technology and their world-class customer service.  And then reality hits….the onboarding process kicks into high gear.  You understand that banks are facing increasing regulatory scrutiny in the areas of KYC and AML because even your current providers are looking for regular updates for compliance purposes.  But you hope that the process has been streamlined since the last time you established a new primary transaction banking relationship.  After filling out reams of paper documents, fielding multiple calls from different areas of the bank asking for the same information you have already provided, pinging your bank relationship manager for status updates on a weekly basis, and wondering out loud more than a few times…. "why did I choose this bank?"….the onboarding process is finally complete ((except for some of those more complicated host-to-host integration pieces) and it only took twelve weeks from start to finish.

As described in a recent Celent report titled Onboarding in Corporate Transaction Banking: Prioritizing Investments for Reducing Friction, transaction banking providers have lots of room for improvement when it comes to starting the relationship off on the right foot. Our thesis is that improving the onboarding process from a client-centric perspective should be one of the most important priorities for transaction banking. Whether establishing a new relationship or assisting a client in expanding an existing one, implementing transaction banking services in an efficient, timely, and transparent manner can be a key demonstration of a bank’s commitment to client-centric innovation.

Even with significant technology investments over the past decade by banks to improve components of the onboarding process, it is common to hear frustration on the part of corporate clients about its manual nature, the increase in the amount paperwork being requested by banks, the length of time it takes to be able to use the account or services, and the lack of visibility into the process. It's easy to blame the regulators but the bottom line is that most banks are investing in components of onboarding to check off the compliance box and in some cases, are actually adding friction to the onboarding experience for clients rather than removing it.

20160801-Onboarding Report slides_WORD-READY

But there is hope.  The current generation of KYC industry utilities, document management technology, business process management platforms, and digital channels presents an opportunity for banks to reduce friction in customer onboarding.  The fundamental question is with so many opportunities for improvement, how should banks prioritize?  Well, let's get back to our imaginary corporate treasurer.  How would she prioritize?  What would she say if we asked how the onboarding process could be improved so that instead of frustration at the start of the relationship, there is a sense of confidence that she's chosen the right bank?  Clients have experience working with several or many different transaction banks, and just as they compare the different digital channels and service quality of the banking solutions they use, they also can offer a view of how a bank’s onboarding capabilities stack up against its competitors. Corporate treasurers indicate that more self-service capability, shortened timeframes, better coordination across the bank, and enhanced visibility are all high priorities for clients.

We think that banks need to have two guiding principles for enhancing the onboarding process: 

  • enabling both internal and external visibility to eliminate the onboarding “black hole,” to reinforce accountability of all parties, and to allow for more effective collaboration
  • focusing on improvements with direct client impact, for example, reduced number of interactions, reduced requests for information already on file, digitization, consistency across geographies wherever possible, clear and concise documentation, and aggressive SLAs for onboarding

There are a few banks that get it:  they not only ask for client feedback about onboarding but they listen and adapt.  They make it a high priority because they recognize that the "digital journey" isn't just about retail banking anymore. If anything, the digital experience is even more critical for corporate clients who look to their transaction banking partners to enhance the efficiency of their treasury operations through digitization.  If you can't demonstrate your commitment to innovation by offering a client-centric digital experience during the onboarding process, then your are selling your investments in digital banking solutions short. And that's putting your foot in it for sure!

 

 

 

 

Faster Than A Speeding Payment: The Race To Real-Time Is Here

It’s been two years since my last reports on real-time payments, and much has happened, not least of which is the perception and understanding the industry has. As a result, the discussions in many countries that don’t have real-time payments infrastructure are now when they will adopt, rather than why would they adopt. Yet in that intervening period, it’s not just the pace of adoption that has accelerated, but that market and thinking around real-time itself has matured as well.

As a result, I’ve just written a new report titled Faster Than A Speeding Payment: The Race To Real-Time Is Here.

Central to the report is the fact that rather than just being “faster ACH”, it is increasing being seen (and should be seen!) as a fundamentally different payment type than anything that has gone before it. As a result, banks, whether they are about to implement their first system or whether an existing user, need to think about where real-time is heading, and to plan accordingly.

This thinking – and more – is set out in the report, and seeks to explore the following questions:

  1. What is the pace of real-time payment adoption?
  2. Why should our bank plan for real-time payments?
  3. What should a bank do regarding real-time payments?

The pace question is clearly indicated in one of the charts from the report:

table

From the 32 countries identified in the initial report (and the criteria we used, which is important!), in 2 years we’ve gone to 42 countries, cross-border systems, and countries who claimed they didn’t see the reason why they would adopt, at least one (the US) is currently reviewing more than 20 systems, all of which might co-exist.

The report goes in to much more detail, but there is a clear implication. Real-time is firmly here, and it’s increasingly being seen as the payment system of the future. Banks that who try to limit the scope of projects today then may be saving themselves money in the short -term, but they are likely to creating more work, more costly work, in the future. Given that most payment networks have a life span measured in decades, it’s a long time to be stuck with a compromise.

Ultimately, however, it’s about building a digital bank as well. Without doing so, banks will be providing the tools to their competitors, yet unable to use them themselves. Adding a real-time solution to a process that takes weeks, such as a bank loan, makes no difference in terms of the proposition. Fintechs are able to use a real-time payment as the enabling element of a digital experience because all of the solution set is real-time – an instant decision and payment of the loan sum is a game changer.

Digital payments without a digital bank would seem futile.

Passwords Suck – Bring on Biometrics!

Now that I have your attention. Let me be clear: I hate passwords, particularly when they are increasingly required to be longer, more complex and frequently changed. Apparently, I am not alone in this sentiment.

At a conference in 2015, a small start-up, @Pay, a low-friction mobile giving platform, offered attendees a free t-shirt in return for seeing a brief demo. I must confess that I was more interested in the t-shirt than @Pay’s product demo. The line went out the door! Here is the t-shirt.

@Pay's Sought After T-shirtWorking from a home-office means t-shirts are staple part of my daily wardrobe. I have tons of them. None of them, however, engender such predictable responses from complete strangers than the one above. Responses range from a simple thumbs up or high-five, to an occasional, “You got that right!” Passwords do suck.  I have so many to manage, I use Trend Micro’s Password Manager to ease the pain.

That’s why I am excited to see more institutions migrate to biometric forms of authentication. Dan Latimore blogged about the rapid increase in the number of US financial institutions employing biometrics within their mobile apps here.

Banks shouldn’t stop there, however. In a June 21 New York Times article, Tom Shaw, vice president for enterprise financial crimes management at USAA was quoted as saying, “We believe the password is dying. We realized we have to get away from personal identification information because of the growing number of data breaches.”

I agree with Tom’s sentiment, but if passwords are dying, it appears to be a very slow and painful death. Here’s one example of why I say this. The chart below shows surveyed likelihood of technology usage in future branch designs as measured by Celent’s Branch Transformation Research Panel in late 2015. More than two-thirds of surveyed institutions thought the use of biometrics in future branch designs was “unlikely”.

Branch Tech Usage Liklihood

Authentication and identity management may always involve a trade-off between security and convenience, but the industry’s overreliance on personal identification information is failing on both counts.

  • At ATMs – it contributes to skimming fraud
  • In digital customer acquisition – it contributes to unacceptably high abandonment rates
  • In the mobile channel – it contributes to its slowing rate of utilization growth
  • In the branch – banks deny themselves the ability to delight customers with improved engagement options made available by skillful digital/physical integration

We’ll be looking into the topic of authentication and identity management in our next Digital Banking Research Panel survey in the coming weeks. If you’re a banker and would like to participate in this or future Digital Panels, please click here to fill out a short application

Security, fraud, and risk Model Bank profiles: Alfa Bank and USAA

Banks have worked hard to manage the different risks across their institutions. It has been and will remain costly, time consuming and a top priority. Celent profiles two award-winning banks who have modelled excellence in their use of risk management technologies across their banks.

They demonstrated:

  1. Degree of innovation
  2. Degree of difficulty
  3. Measurable, quantitative business results achieved
(Left to right, Martin Pilecky, CIO Alfa-Bank; Gary McAlum, SVP Enterprise Security Group USAA; Joan McGowan, Senior Analyst Celent)

(Left to right, Martin Pilecky, CIO Alfa-Bank; Gary McAlum, SVP Enterprise Security Group USAA; Joan McGowan, Senior Analyst Celent)

ALFA-BANK: SETS THE STANDARDS FOR BASEL COMPLIANCE IN RUSSIA

Alfa-Bank built a centralized and robust credit risk platform to implement Basel II and III standards, simultaneously, under very tight local regulatory deadlines. The bank decided to centralize all corporate credit-risk information onto a single platform that connected to front office systems and processes. Using Misys FusionRisk, Alfa-Bank was able to implement a central default system with a risk rating and risk-weighted asset calculations engine. The initiative is seen as one of the most important initiatives in the bank’s history. The successful completion of the project has placed Alfa-Bank at the forefront for setting standards and best practice methodologies for capital management regulations for the Russian banking industry and Central Bank.

USAA: SECURITY SELFIE, NATIVE FINGERPRINT, AND VOICE SIGNATURE

The game-changer for USAA is to deliver flawless, contextual customer application services that are secured through less intrusive authentication options. The use of biometrics (fingerprint, facial and vocal) to access its mobile banking application positions USAA to be able to compete with Fintechs across the digital banking ecosystem and offer exceptional service to its military and family members.

USAA worked with Daon Inc. to provide biometric solutions paired with its “Quick Logon” dynamic security token technology, which is embedded in the USAA Mobile App for trusted mobile devices. Biometric and token validation focus on who the user is and who the verifiers are and it addresses increasing concerns around the high level of compromise of static user names, passwords, and predictable security questions from sophisticated phishing attacks, external data breaches, and off-the-shelf credential-stealing malware.

For more information on these initiatives, please see the case study abstract on our website.     

Congratulations to Celent Model Bank 2016 Winners!

Last week many of us at Celent were in New York attending our Innovation and Insight Day on April 13th. It is Celent's flagship event during which we announce Model Bank and Model Insurer winners and celebrate their achievements. In addition, the program includes keynote speeches from industry leaders and Celent analysts, plenty of opportunities to network with peers, and even to experience some of the latest technologies first hand, courtesy of our sponsors.

The theme of this year's event was "Financial Services Reborn", and the Museum of American Finance on Wall Street provided an inspiring setting to celebrate innovation in financial services. Craig Weber, Celent CEO, kicked off the proceedings drawing insightful parallels between the battle of Alamo and the future of financial services. It must have been the first time in Craig's career that he had to come up on stage to the soundtrack of hip hop music, an extract from the Broadway musical "Hamilton", but it set the tone for the rest of the day – to expect the unexpected and to be open to new ideas.

Both of our guest speakers – Nadeem Shaikh, Co-Founder and CEO of Anthemis Group, and Leanne Kemp, Founder and CEO of Everledger – thrilled the audience and opened everyone's eyes to the opportunities presented by Fintech and Blockchain respectively, while our colleague Will Trout spoke eloquently about consumer-led convergence. A big 'thank you' to all the speakers, as well as the sponsors supporting the event!

The rest of the day was all about celebrating the achievements of Model Bank and Model Insurance award winners. As many of this blog's readers know, the vision for Celent’s Model Bank research, now in its ninth year, is to spotlight effective uses of technology in banking. This year we received a record number of submissions – well over 100 – that came from all over the world; the nominations were spread equally between North America, EMEA and APAC. The award winners come from four continents and nine countries and range from credit unions and microfinance institutions to the world's largest banks.

Celent Model Bank 2016 winners are:

  Model Bank 2016 Categories

  Award Winners

  1. Digital Banking Transformation

  Citizens Bank, US

  DenizBank, Turkey

  Garanti Bank, Turkey

  Santander, US

  2. Omnichannel Banking

  BECU, US

  Beyond Bank, Australia

  Standard Chartered Bank, Korea

  3. Digital Payments and Cards

  Bank of America Merrill Lynch, US

  RBC, Canada

  4. Corporate Payments and Infrastructure Modernization

  Bank of China, China

  CBW Bank, US

  5. Cash Management and Trade Finance

  CIBC, Canada

  HBL (Habib Bank), Pakistan

  6. Security, Fraud, and Risk Management

  Alfa-Bank, Russia

  USAA, US

  7. Legacy Transformation

  Sberbank, Russia

  Umpqua Bank, US

  Vietnam Bank For Social Policies, Vietnam

  Model Bank of the Year

  Eastern Bank, US

As always, we published a series of reports with detailed case studies of all winning initiatives. Celent research subscription clients can access the Model Bank of the Year and individual category reports via our website.

This year we also introduced a new award, Model Bank Vendor. We wanted to acknowledge the vendor role in helping multiple clients achieve technology or implementation excellence, one of our judging criteria, and to extend our appreciation to the entire vendor community, which is instrumental in the ongoing success of the Model Bank program. Celent recognized two companies as Model Bank Vendors for 2016:

  • EdgeVerve Systems
  • Nucleus Software

Congratulations to all our award winners! We are grateful to have been exposed to so many extraordinary initiatives and the talented individuals responsible for their success. We look forward to continuing with the Model Bank program next year to identify and award the most impressive banking technology initiatives from around the world, and will begin accepting nominations again in September – stay tuned!

 

The iPhone, the FBI, and the lessons for bankers

With today’s news comes the interesting development that the FBI has apparently used a “tool” acquired from an unnamed third-party white hat security firm to gain access to the locked iPhone of one of the San Bernardino shooters without requiring Apple’s cooperation.  This issue had been the subject of a recent tug-of-war between Tim Cook and the US Department of Justice.

While FBI Director James Comey has been mum on the details, some in the IT security community have speculated that the new tool employs a so-called “brute force attack” on the iPhone by sequentially guessing the device’s passcode until the device unlocks itself.  While the lock-out feature is user-configurable, an iPhone running the current version of iOS will normally give the user 10 chances to input  the passcode correctly before permanently locking the user out while deleting all user data from the device.

Cloud services to the rescue.  The speculation is that the newly acquired FBI tool was able to get around this measure by simply cloning the software from the perpetrator’s iPhone — including the operating system and all of the user data files — hundreds or thousands of times and performing what is effectively a “distributed brute force attack” by repeatedly guessing passcodes from a master checklist across the clones in parallel.  When an individual clone became locked, that clone is discarded and the tool continues the guessing game with other clones on a reduced list of candidate passcodes until one of the guesses finally works.

The likely reason why the FBI has apparently succeeded is the fact that the perpetrator’s passcode was static, meaning it didn’t change during the course of the many times that the FBI tried one guess after another.  (In this context, it was important that the perpetrator was caught, as otherwise  he would have changed his passcode and/or wiped the data remotely, a capability that Apple provides to all iPhone users.)

What does this have to do with banking security?  As demonstrated by the success of the FBI’s  new white hat tool in breaking Apple’s device security, the simple reality of data protection is that no encryption technique is foolproof, particularly from the threat of a brute force attack.

Given the power of the cloud to solve a large computational problem like guessing an large encryption key using a cloud-based “divide and conquer” approach, bankers need to pay attention to the need to employ strong encryption keys while rotating their keys on a regular basis.

The definition of “regular basis” will depend on the sensitivity of the data to be protected, but one thing is for sure:  the bank that creates an enterprise encryption key once and thinks the bank is protected forever is dangerously vulnerable to a future cyber attack based on a distributed brute force technique such as the one that was quite possibly used by the  FBI’s white-hat vendor.

Given the importance of encryption to maintaining a safe and FFIEC-compliant environment for the safekeeping of NPI, and especially in light of the emergence of  services like Blockchain that are dependent on encryption for success, banks ought to be paying close attention.

Liquidity management: Staying afloat in turbulent times

Liquidity management has recently begun to assume increasing importance as four key external forces create turmoil in a historically placid section of corporate treasury. External Forces

The most significant regulation affecting liquidity management is Basel III, along with others such as money market fund reform. Taken together, they’re changing the way banks structure their balance sheets and the relationship between business customers and their banking partners.

On the economic front, businesses of all sizes continue to seek opportunities abroad. Combined with an environment of negative interest rates in several countries, this is making management of liquidity distributed across markets, currencies, and business units that much more complex and increasingly challenging.

Industry initiatives such as expanded use of ISO 20022 XML and real-time payments provide both opportunities and challenges for cash and liquidity management, and as the speed of transactions accelerates, so does the need for even more timely information.

Technology evolution has facilitated a move toward centralisation, which in turn is accelerating the adoption of more advanced cash and liquidity management capabilities to support the modern day treasury function.

With external forces causing substantive and permanent shifts in available options, corporations need to have the technology infrastructure in place to manage their liquidity and investments with tighter risk governance. As discussed in the new Celent report “Staying Afloat: External Forces Impacting Corporate Liquidity Management,” no one can predict what lies around the next bend in the river, but robust strategic preparation can equip treasurers to ride out the next stretch of liquidity management turmoil.