Challenges Facing Organizations in the Current Risk Environment

Challenges Facing Organizations in the Current Risk Environment

The Association for Financial Professionals (AFP) recently published its 2017 AFP Risk Survey Report of Survey Results. The survey, supported by Marsh & McLennan Companies (Celent’s parent company), provides a snapshot of the challenges organizations face in the current risk environment. Responses from 480 senior-level corporate practitioners (primarily based in the US) formed the basis of the survey.

Corporate practitioners rank the highest risk factor impacting organization earnings in the next three years as tougher competition (40%), followed by customer satisfaction (33%), and U.S. political and regulatory uncertainty (32%.) While the three top-ranked factors are similar to those in the 2016 AFP Risk Survey, the order differs.

The survey authors made an intriguing observation on the ranking of risk factors: “It is interesting that in an election year (during which this survey was conducted), finance professionals believed competition would have a greater impact on their organizations’ earnings than would any uncertainty surrounding the U.S. political and regulatory environment.”

The report of survey results goes on to discuss risk mitigation actions in direct response to various types of risk. For example, in response to geopolitical risks, 60% of respondents are most focused on maintaining adequate liquidity, with a greater share of larger companies than smaller companies paying attention to maintaining liquidity (65% to 57%).

If you are a corporate banker or treasury management professional, I highly recommend a reading of the 2017 AFP Risk Survey results. The survey data provides valuable insights into the current and emerging threats facing US corporations of all sizes.

Celent Model Bank Awards: Fraud, Risk Management, Process Automation and Flub-Free

Celent Model Bank Awards: Fraud, Risk Management, Process Automation and Flub-Free

It is my privilege to be part of the judging panel for Celent Model Bank Awards for 2017 for the following three categories:

  • Fraud Management and Cybersecurity – for the most creative and effective approach to fraud management or cybersecurity.
  • Risk Management – for the most impressive initiative to improve enterprise risk management.
  • Process Automation – for the most effective deployment of technology to automate business processes or decision-making.

A common theme across this year’s submissions for the above categories is the importance of agile technology, digital process automation, and consistent and focused practices across the organizations. A large number of the entries show that a streamlined and automated operational risk framework is critical to run a successful risk management program. Everything connects and has a consequence and unless banks can join the risk dots across their ecosystems, they will continue to spend at a very high rate with unsatisfactory and, at times, devastating results.

Improved data analysis and machine learning capabilities also featured prominently in the winning case studies. A central data platform, automated processes and improved insights have produced notable increases in efficiency, better control of costs, reduced resourcing requirements, reduced errors and false positives and have made it easier for the banks to adapt to their digital footprint, an expanding cyber threat landscape, and intense and complex regulatory obligations.

Hopefully, no flubs on the big day

Without exception, every submission is of a high-quality and we found it a daunting task to pick the most worthy award recipients. In the end, we are excited and confident about our selection of winners in the above categories, yet we are sorry that we could not recognize so many others that clearly also deserve recognition.

At the moment we are staying tight-lipped about who won the awards. We will be announcing all winners publicly on April 4 at our 2017 Innovation & Insight Day in Boston. In addition to presenting the award trophies to the winners, Celent analysts will be discussing broader trends we’ve seen across all nominations and will share our perspectives why we chose those particular initiatives as winners. Make sure you reserve your slot here while there are still spaces available!

 

How to Woo a Bank

How to Woo a Bank

When it comes time to choose a business partner, banks will favor those who help them execute their third party risk management (TPRM) responsibilities over those who begrudgingly comply.

The risk to a bank of doing business with a third party is real; the consequences of a risk event are not only disruptive, but often result in long-term reputational damage that can seriously affect the bottom lines of both the bank and the third party. We have all seen the media coverage. Parties who can make TPRM easier for banks by being proactive, transparent, and helpful will distinguish themselves in an ever more competitive environment.

They must show that they are compliant with the bank’s risk management requirements throughout the RFP, due diligence, onboarding processes, and lifecycle of the engagement.  OCC1 TPRM regulations alone require the bank to evaluate 16 risk dimensions when engaging with a third party. And, if the relationship involves a high or critical risk activity, the bank will carry out a much more thorough due diligence; often including an on-site visit to inspect operational risk procedures in the case of a risk event.

Furthermore, there is now an expectation that the third party will willingly take a portion of the liability of such an event.

Banks are introducing a new level of discipline and quantification around the measurement of third part risk. With this knowledge, banks can determine third party indemnification provisions and allocation of liabilities at the contract stage. You will be at a disadvantage if you do not have a way to measure and verify the scope of a potential risk event that involves your products or services.

Celent is also beginning to witness the inclusion of provisions within contracts that require a third party to reimburse the bank for out-of-pocket costs relating to data security breaches that occurred due to the third party's negligence. As banks continue to push back on third party risk liabilities, third parties need to ensure they have in place insurance policies that can fund indemnification obligations.

My recent two research reports discuss the changing and expanding landscape for TPRM and explain why banks, regulators and third parties need to commit to their significant other in the management and responsibility of risk.

Model Bank 2017: Small Business and Corporate Digital Innovation Themes

Model Bank 2017: Small Business and Corporate Digital Innovation Themes

This is the fifth article in a weekly series highlighting trends and themes from Celent’s Model Bank submission process. For more information on how the Model Bank Awards have evolved, see the first two pieces from Dan Latimore and Zil Bareisis. This particular article is focused on innovations in small business and corporate banking:  two critical market segments for financial institutions as they seek revenue growth and relevance in the evolving digital B2B marketplace. 

When evaluating this year’s Model Bank submissions that are targeted at small business and corporate clients, we identified a number of excellent initiatives in each of the five overall categories:

    Customer Experience

    Products

    Operations and Risk

    Legacy Transformation / IT Platform Innovations

    Emerging Innovation

For these two segments, the Model Bank award candidates come from Europe, North America, the Caribbean, Asia Pacific and the Middle East. Despite the wide geographic spread of the submissions we received, certain common themes became evident that are important to highlight, 

Enhancing client experience is paramount: Banks are intensely focused on how to deliver solutions to clients in ways that are convenient and easy to use in order to meet the emerging expectations of business users based on their consumer experiences with technology. Creating a consolidated point of access for all corporate banking services using portal technology that eliminates the need for multiple logins and security procedures was just one of the types of initiatives that were submitted.  Mobile and tablet access are becoming mainstream channels for employees of business and corporate clients to effectively manage their daily workload no matter where they might be located.

Improving digital channels is not enough to succeed: The initiatives that demonstrate significant quantifiable benefits to banks and clients are those that address the inefficiencies in the way that bank employees interact with their clients but also involve the elimination of paper-intense, manual workflows both for the client and the bank. From the use of videoconferencing technology to access experts in trade finance for advisory services to the replacement of faxed instructions with digitally signed transactions initiated on mobile phones, banks are finding innovative ways to contribute to their own efficiency while also improving client productivity. Another critical element of the digitization of these processes is speed. Automation enables faster decisions (for example for credit approval) and this provides business with a superior service and the ability to manage their businesses rather than managing their banking relationships. These initiatives drive revenue growth and loyalty because the bank’s services provide quantifiable benefits to clients that are seeking to leverage technology advances in order to more effective manage their working capital.

Reinvention in Small Business Banking: I was struck by several of the initiatives that represent an entirely new way of thinking about how to enable entrepreneurs and small business owners to succeed. Rather than tweaking traditional banking solutions that are designed for consumers or larger businesses, several of the banks submitted initiatives that reflect an entirely different way of meeting the needs of small business clients. Recognizing that the needs of entrepreneurs and start-ups fall well beyond the services that a bank traditionally offers (i.e. credit, payments, cash management), a few innovative banks have attempted to reinvent business banking by offering a complete, integrated package that combines traditional banking activities with non-banking services that extend beyond even the adjacent types of solutions that banks typically make available through partnerships (e.g. payroll services). The goal of these packages is to offer a business owner every piece of business functionality and technology they would need to grow their business. What makes these solutions especially impactful is that they are designed from a business owner’s perspective and don’t reflect a bank-centric view of how the client should manage their business. 

I hope this brief description whets your appetite for more discussion on our award winners in small business and corporate banking at the 10th annual Innovation and Insight Day on April 4th in Boston. I look forward to seeing you there.

European Payments: Breathing a Sigh of Relief (For Now)

European Payments: Breathing a Sigh of Relief (For Now)

In our recently published report on Top Trends in Retail Payments we quoted a European payments professional:

“If the publication of PSD2 gave the industry a headache, then the publication of draft RTS gave it a heart attack.”

Of course, he was talking about the draft regulatory technical standards (RTS) that the European Banking Authority (EBA) has been tasked to develop for how the industry should implement Payment Serivces Directive's (PSD2) requirements for strong customer authentication and secure communicationThe draft RTS published in a consultation paper last August was indeed rather draconian. One of the key proposals was "not to propose exemptions based on a transaction risk analysis performed by the PSP” and to keep “the authentication procedure […] fully in the sphere of competence of the ASPSP [Account Servicing Payment Service Providers, i.e. banks].” The draft RTS has united the industry to an extent rarely seen before – representatives from payments, cards, e-commerce, small merchants, digital technology, telecoms, travel and industries have expressed concerns that the EBA’s standards implemented in their current form would “make online shopping much more onerous than it is today and have a wider and chilling effect on the Digital Single Market.”

Thankfully, it appears that the EBA has been listening. The final standards have not yet been published, but yesterday, Andrea Enria, Chairperson of the EBA gave a speech at the Westminster Forum, and has given the clearest indication yet that the EBA is open to changing the RTS. Specifically, according to the speech, the RTS when published will:

  • Introduce two new exemptions, one based on "transaction risk analysis" and the other for payments at so-called "unattended terminals" for transport or parking fares. Transaction risk analysis exemption will be linked to maintaining predefined fraud levels and will be reviewed after 18 months.
  • Contain some changes to the existing exemptions, such as increasing from EUR 10 to EUR 30 the threshold for remote payment transactions. However, there will be no further exemptions for e.g. corporate payments.
  • Outlaw the current practice of third party access without identification (e.g. ‘screen scraping’) once the transition period under the PSD2 has elapsed and the RTS applies.
  • Maintain the obligation for the ASPSPs to offer at least one interface for AISPs and PISPs to access payment account information. A requirement has been added requiring banks to provide the same level of availability and performance as the interface offered to, and used by, their own customers, as well as to provide the same level of contingency measures in case of unplanned unavailability.
  • Remove references to ISO 27001 and other specific, technological characteristics, to ensure technology-neutrality and allow for future innovations.

It will be important to review the details when the final RTS is published, and of course, much work will still have to be done by the industry to ensure compliance. Yet, it seems that the payments professionals in Europe may breathe a sign of relief – the heart attack may have just been averted, at least for now.

Channel Strategy for Corporate Banking: Is Your Bank Paying Enough Attention?

Channel Strategy for Corporate Banking: Is Your Bank Paying Enough Attention?
According to the GTNews 2016 Transaction Banking Survey Report, 91% of North American corporates are evaluating their cash management partners. Of those, 27% indicated that improving availability of online and mobile banking tools were a major reason for reviewing their bank relationships, and 55% cited the need for an improved customer experience. Clearly, these responses are evidence that large numbers of corporate clients are less than satisfied with the channel tools and the overall digital client experience being offered.  Most of the banks we interviewed for recent research on this topic are hearing loud and clear that clients are looking for more streamlined, convenient, and faster access to banking services and information.  Our recent report, Strategies for Enhancing Corporate Client Experience: The Future of Attended Channels looks at strategies that leading North American and global banks are adopting to achieve the following goals:
  • Build out integrated portals to make invisible the organizational and product silos inherent in corporate banking.
  • Simplify the user experience.
  • Establish an omnichannel approach to providing consistent data and access to transactions across channels.
  • Enhance authentication options, including biometrics.
  • Expand self-service, including the ability to securely exchange documents and open accounts and new services.
While we found broad agreement on importance of the themes described above, we identified other aspects of digital channel strategy that varied widely from bank to bank.  The graphic below summarizes those opportunities for differentiation. Celent recommends that banks take the following steps to optimizing their future investments in attended channels:
  1. Define the Digital Strategy for Corporate Banking, Not Just the Digital Channel Strategy.  In the current environment, attempting to implement a successful strategy for digital channels in the absence of an overall digital transformation strategy for corporate banking is short-sighted.
  2. Understand How Attended Digital Channels Fit into Clients’ Daily Workflow.  Product management and strategy executives at many institutions are driving prioritization in channels based on a set of assumptions about client preferences that may not be valid. Mapping those client digital journeys from onboarding to servicing to managing exception situations for each client persona is critical.
  3. Reexamine the Role of Partners.  In reality, the delivery of services through attended channels has always involved multiple partners, whether the bank has developed an “in-house” solution or offers one or more off–the-shelf vendor solutions. As demands for “non-core” banking functionality grows and technology evolves to enable easier integration with multiple partners, the importance of the bank maintaining control of the user experience layer that is seen and touched by the client becomes even more critical.
The decisions being made today about attended digital channels — whether as a part of a larger digital transformation initiative, enhancing the channel user experience, or establishing a corporate banking portal — will have a significant impact on the ability of corporate banks to attract and retain clients.

Banking Third Party Risk Management Requirements are a Big and Expensive Ask

Banking Third Party Risk Management Requirements are a Big and Expensive Ask

Celent, through its work with Oliver Wyman, estimates the cost to US financial institutions of undertaking due diligence and assessment of new third party engagements to be ~ $750 million per year. Institutions are paying three times as much as their third party to complete on this exercise. The average cost to an institution to carry out due diligence and an assessment of a new critical third party engagement is $15,000 and takes the institution approximately 16 weeks to complete.

The top ten US banks average between 20,000 and 50,000 third party relationships. Of course, not all of these relationships are active or need extensive monitoring. But the slew of banking regulatory requirements for third party risk management is proving to be complex, all-consuming and expensive for both institutions and the third parties involved. In a nutshell, institutions are liable for risk events of their third and extended parties and ecosystems. The FDIC expresses best the sentiment of worldwide regulators:

“A bank’s use of third parties does not relinquish responsibility… but holds it to the same extent as if the activity were handled within the institution." www.fdic.gov

If an institution doesn’t tighten its third party risk management, it is significantly increasing the odds of a third party data breach or other risk event and will suffer the reputational and financial fallout.

In the first report of a two-part series, just published by Celent, “A Banker’s guide to Third Party Risk Management: Part One Strategic, Complex and Liable”, I show how institutions can take advantage of their established risk management practices such as the Three Lines of Defense governance model, and operational risk management processes to identify, monitor and manage the lifecycle of critical and high-risk third party engagements across functions and levels. It describes the components required for a best-practice program and shows examples of two strong operating risk models being used by the industry that incorporates third party risk management into the enterprisewide risk management program.

Unfortunately, there are few institutions that have successfully implemented strategic third party risk management programs. Most institutions fall between stage 1 and 2 of the four stages of Celent’s Third Party Risk Management Maturity Curve. But continuing to operate without a strategic third party risk management practice will leave your institution in the hands of cyber fate and the regulators.

Globalisation: External Forces Driving Corporate Growth and Expansion

Globalisation: External Forces Driving Corporate Growth and Expansion

Treasury management plays an important role in a corporation’s globalisation efforts especially in the areas of cash management, banking, foreign exchange risk, and investments. Treasury must address challenges with managing liquidity distributed across markets, currencies, and businesses, especially the need to keep up with regional liquidity nuances and regulatory issues.

As an outgrowth of globalisation, four key external forces impact opportunities and challenges for corporate growth and expansion: economic uncertainty, geopolitical climate, regulatory environment, and technology evolution.

Eight years on from the 2008–2009 financial crises, global economic growth remains sluggish, hovering between 3.1% and 3.4% since 2012. There are numerous examples of geopolitical events exacerbating volatility, uncertainty, and risks arising from the increasing interconnectedness of regions caused by globalization. New regulations impact treasury organizations in many ways, including in-house banking, intercompany transactions, and transfer pricing documentation.

Corporate treasury organizations continue to lean on technology to facilitate change and mitigate complexity arising from global expansion. Cloud-based treasury management systems (TMS) provide an opportunity to implement specific modules on a subscription pricing basis. Governmental agencies, banks, and fintechs are collaborating to evolve complex corporate treasury services.

As discussed in the new Celent report “Globalisation: External Forces Driving Corporate Growth and Expansion," although firms are in different stages of their globalisation journeys, they can benefit from working with their banking partners to adopt strategies and tactics that address the external factors affecting corporate growth and expansion. Universal banks understand geographic differences and nuances, and are in a unique position to advise firms seeking to expand their businesses globally. This report is the sixth in an ongoing series of reports commissioned by HSBC and written by Celent as part of the HSBC Corporate Insights program.

Stop Throwing Money at Cybersecurity

Stop Throwing Money at Cybersecurity

cyber-operational-risk-150x1501 Most cyberattacks succeed because of weaknesses in people, processes, controls and operations. This is the definition of operational risk. Therefore, it makes sense to tackle cyber risk with the same tools you use to manage operational risk.

We continue to prove that the approach of the IT department managing cybersecurity is not working. Cyber risk is typically treated in parallel with other technology risks; the IT department is motivated to focus on securing the vulnerabilities of individual system components and proffers a micro view of security concerns.

My new Celent report on Treating Cyber Risk as an Operational Risk: Governance, Framework, Processes and Technologies”, discusses how financial institutions are advancing their cybersecurity practices by leveraging their existing operational risk frameworks to centralize, automate and streamline management, technologies, processes, and controls for a sounder and more resilient cybersecurity.

The report identifies and examines the steps required to achieve a risk-based approach to a sustainable and, ultimately, a measurable cyber risk management strategy:

1. Establish a long-term commitment to drive a top-down, risk-based approach to cybersecurity.

2. Recognize that the traditional approach of the IT department managing cybersecurity is limited and that most cyber risks are weaknesses in people, processes, controls, and operations.

3. If you have not already, consider deploying the NIST cybersecurity framework and tailor the framework to fit your individual cybersecurity requirements. The framework lets you take advantage of your current cybersecurity and operational risk language, processes and programs, industry standards and industry best practices. Both cyber and operational risk should be informed by and aligned with the institution’s enterprise-wide risk management framework.

4. Move your organization along the cybersecurity maturity curve by building dynamic risk models, based on shared industry data and assumptions, to measure and monitor cyber threats and pre-empt those attacks.

5. Stop throwing money at the problem. Educate decision-makers on why and how breaches happen. Do not purchase in siloes or under pressure, select the right expertise to identify the issues and carry out due diligence on products.

6. Use the NIST’s five functions to navigate and manage cybersecurity technology requirements and purchases.

7. Know what technology you want from your vendors; know what advice to seek from your consultants.

8. Acknowledge that cybersecurity is the responsibility of every employee and human behavior is the most basic line of defense. Institutions cannot hesitate in the goal to educate their employees, third parties and customers.

Against the Odds: Improving Euro Area Commercial Lending Indicators

Against the Odds: Improving Euro Area Commercial Lending Indicators

Over the past several months the European Union has weathered a number of challenges – Brexit, political turmoil, the migrant crisis, and sluggish GDP growth among them. But surprisingly, the latest European Central Bank (ECB) data doesn’t reflect any negative shocks on credit supply and demand.

The latest Euro Area Bank Lending Survey found that competitive pressures are the main factor behind the easing of credit standards on loans to enterprises, including a narrowing of interest rate margins. At the same time, demand for loans by enterprises is increasing, driven by merger and acquisition activities, inventories and working capital, and continued low interest rates. Although demand is strengthening, alternative financing sources dampened demand for bank financing slightly.

Euro Area Bank Lending Survey

Looking at the top half of this chart, there is no question that banks ratcheted up credit standards like pricing, covenants, cash flow, and capital during Europe’s two recessionary periods. At the same time, businesses of all sizes stopped seeking credit. There is just no appetite for companies to take on additional liabilities during a period when consumers aren’t spending and the economy is shrinking.

More recently, in early 2014 both sides of the credit standards and demand equation crossed the middle point. Since then, credit standards have leveled off while credit demand from enterprises has risen slightly, especially for small-to-medium enterprises (SME).

Despite the ups and downs in credit demand and standards, loan outstandings to non-financial corporations has been surprisingly resilient, even during euro area recessionary periods.

ECB Loans to Non-Financial Corporations

The June ECB reflected slight growth over the past quarter, at the end of which the UK voted to leave the European Union. Time will tell whether Brexit and the expected negative impact to eurozone growth will dampen demand and subsequent loan growth for euro area commercial lending.