Banking Third Party Risk Management Requirements are a Big and Expensive Ask

Celent, through its work with Oliver Wyman, estimates the cost to US financial institutions of undertaking due diligence and assessment of new third party engagements to be ~ $750 million per year. Institutions are paying three times as much as their third party to complete on this exercise. The average cost to an institution to carry out due diligence and an assessment of a new critical third party engagement is $15,000 and takes the institution approximately 16 weeks to complete.

The top ten US banks average between 20,000 and 50,000 third party relationships. Of course, not all of these relationships are active or need extensive monitoring. But the slew of banking regulatory requirements for third party risk management is proving to be complex, all-consuming and expensive for both institutions and the third parties involved. In a nutshell, institutions are liable for risk events of their third and extended parties and ecosystems. The FDIC expresses best the sentiment of worldwide regulators:

“A bank’s use of third parties does not relinquish responsibility… but holds it to the same extent as if the activity were handled within the institution."

If an institution doesn’t tighten its third party risk management, it is significantly increasing the odds of a third party data breach or other risk event and will suffer the reputational and financial fallout.

In the first report of a two-part series, just published by Celent, “A Banker’s guide to Third Party Risk Management: Part One Strategic, Complex and Liable”, I show how institutions can take advantage of their established risk management practices such as the Three Lines of Defense governance model, and operational risk management processes to identify, monitor and manage the lifecycle of critical and high-risk third party engagements across functions and levels. It describes the components required for a best-practice program and shows examples of two strong operating risk models being used by the industry that incorporates third party risk management into the enterprisewide risk management program.

Unfortunately, there are few institutions that have successfully implemented strategic third party risk management programs. Most institutions fall between stage 1 and 2 of the four stages of Celent’s Third Party Risk Management Maturity Curve. But continuing to operate without a strategic third party risk management practice will leave your institution in the hands of cyber fate and the regulators.

The new 4 C’s of commercial lending

Last week, I participated in a Finextra webinar on the topic of “Connected Credit and Compliance for Lending Growth” with panelists from ING, Vertus Partners, Misys and Credits Vision.  As I prepared for the webinar, I thought back to my first exposure to commercial lending when I worked for a large regional bank and I recalled the 4C’s of commercial lending from credit training:  character, capacity, capital and collateral.  All of those original 4C’s are still relevant in today’s environment when evaluating borrowers, but when considering the state of the commercial lending business in 2016, we need to think about an entirely new set of 4C’s:
  • Constraints on capital and liquidity
  • Cost of compliance
  • Changing client expectations
  • Competition from new entrants
On a global basis, banks are being forced to restructure their business models, technology platforms, and organizational processes in order to grow their portfolios, remain profitable, and stay in the good graces of their regulators.  All the while, meeting the evolving demands of clients who can view and manage their personal finances on demand, at their convenience, using the device of their choice. Despite these challenges, the panel remains optimistic that banks can and will evolve to grow this critical line of business. finance590x290_0 Where does this optimism comes from? Alternative lenders provide both a threat and an opportunity for banks as they make the difficult decisions on whether and how to serve a particular segment of the commercial lending market. Fintech partners offer more modern solutions than the decades-old clunkers that many banks still use; providing for more efficient and accurate decisioning, enhanced visibility and processing within the bank, and where appropriate, self-service capabilities.  Connectivity with clients and partners will increasingly be the hallmark of a successful commercial lender. For more insights from the panel, please register for the on-demand version of the webinar here: Finextra: Connected Credit and Compliance for Lending Growth.  

Proposed new cyber security regulations will be a huge undertaking for financial institutions

New York State Department of Financial Services (NYDSF) is one step closer to releasing cyber security regulations aided by the largest security hacking breach in history, against JP Morgan Chase. The attack on JPMorgan Chase is revealed to have generated hundreds of millions of dollars of illegal profit and compromised 83 million customer accounts. Yesterday (Tuesday, November 10), the authorities charged three men with what they call “pump and dump” manipulation of publicly traded stock, mining of nonpublic corporate information, money laundering, wire fraud, identity theft and securities fraud. The attack began in 2007 and crossed 17 different countries. On the same day as the arrests, the NYDSF sent a letter to other states and federal regulators proposing requirements around the prevention of cyber-attacks. The timing will undoubtedly put pressure on regulators to push through strong regulation. Under the proposed rules, banks will have to hire a Chief Information Security Officer with accountability for cyber security policies and controls. Mandated training of security will be required. Tuesday’s letter also proposed a requirement for annual audits of cyber defenses. Financial institutions will be required to show material improvement in the following areas:
  1. Information security
  2. Data governance and classification
  3. Access controls and identity management
  4. Business continuity and disaster recovery planning and resources
  5. Capacity and performance planning
  6. Systems operations and availability concerns
  7. Systems and network security
  8. Systems and application development and quality assurance
  9. Physical security and environmental controls
  10. Customer data privacy
  11. Vendor and third-party service provider management
  12. Incident response, including by setting clearly defined roles and decision making authority
This will be a huge undertaking for financial institutions. Costs have yet to be evaluated but will be in the millions of dollars. It will be very difficult to police third party security because, under the proposal, vendors will be required to provide warranties to the institution that security is in pace. The requirements are in the review stage and financial institutions should join in the debate by responding to the NYDFS letter.

The Best News About RDC in a Long While

I just finished two remote deposit capture (RDC) related reports last week – and yes, they took way too long to complete. The first was a comparison of vendor solutions and the second an analysis of the state of RDC with projections for the future. Having been immersed in RDC for a bit (OK months) I got to thinking. There’s some great news in the world of RDC! For example: • The vast majority of RDC deploying financial institutions still have not suffered any economic losses attributable to RDC. • Even though commercial RDC is a mature market, there remains a significant upside for participating banks in terms of selling additional clients. • Vendor solutions continue to improve at a rapid pace, particularly in terms of providing financial institutions tools to manage risk. • Mobile RDC is experiencing explosive growth behind terrific consumer awareness and strong concept scores. In a July 2013 Celent consumer survey, mRDC was the second most valued capability in mobile banking, exceeded only by account aggregation (seeing all one’s accounts in one place). • Banks are gradually relaxing mRDC eligibility criteria and deposit limits in response to consumer demand and favorable operational experience. And, I could go on. But the most encouraging news in my opinion is that compliance worries are mostly a thing of the past – in both retail and wholesale banking lines of business at most banks. For several years, compliance was “Job #1” for RDC product managers. Thankfully, those days are largely behind us. At last, delivering value and growing the business has returned to the RDC agenda, and it has done so in significant ways. In October 2013, Celent surveyed US banks and credit unions about RDC adoption, risk, attitudes and priorities. We’ve done so annually since 2010. On question asks respondents to rank the importance of RDC priorities. We ask the same question in the context of commercial RDC (treasury management departments) as well as small business RDC (small business or retail lines of business). 2012 was good news. 2013 even better news – after years of a compliance dominated agenda, client adoption solidly returned to the #1 spot. The figure below graphs the percent of respondents ranking each priority as “most important”. Note the year-to-year changes. SMB RDC priority 2013 Don’t get me wrong, compliance will remain an imperative in all areas of banking, but it should no longer dominate bank’s RDC project list. More than anything else, this will be a harbinger for good RDC things to come.

A Product Does Not a Patent Make

In November, 2009, the Electronic Payment Order, or fully-digital check was popularized in a paper published by the Chicago Fed. In the paper, the authors agued that since paper checks are now routinely cleared by fully electronic means, why not originate the instrument electronically as well. The idea may be sound. After all, the only meaningful negative associated with check payments has been the costs and delay associated with handling paper. Now, there may be an opportunity to eliminate paper entirely, while retaining the benefits of the check as a payment mechanism and leveraging the recently modernized US check payment system. Global Standard Financial (GSF), an Alpharetta, GA based start-up holds several patents on the idea. Unlike Data Treasury, however, GSF appears intent on actually bringing products to market and generating revenue through their licensing. It sounds simple: create check images, send them to the payee electronically, and let the payee deposit them as an image cash letter along with other scanned checks and EPOs. But, financial institutions must be willing to embrace EPOs for all this to occur. Something tells me that risk managers may be hard to win over. Remote deposit capture (RDC) may be illustrative of what lies ahead with EPO adoption. After five years of growth as a commercial product, over one million capture points and adoption by over two-thirds of all US financial institutions, RDC has largely failed to migrate to the consumer realm. And it’s not for lack of product. All the leading solution providers offer off-the-shelf solutions that support TWAIN compliant scanners and many now also offer solutions for mobile RDC – using smart phones to do the image capture. With such an apparently strong concept and readily available technology, why aren’t banks offering RDC down market? One reason: compliance risk. Last fall, Celent surveyed 174 US financial institutions to better understand RDC adoption dynamics. In part, we asked FIs that had no plans to implement consumer and/or mobile RDC products why not. Compliance risk was the #1 adoption barrier.
Compliance Risk is Limiting RDC Deployments

Compliance Risk is Limiting RDC Deployments

So even after patent-pending solutions for EPOs hit the market (should that occur), it may be some time before banks get comfortable with the idea. Failing that, payment system innovation may require non-banks to take the lead. More on that in a later blog.

Celent’s anti-money laundering vendor report: 2009 update

Celent’s AML vendor evaluation reports have become something of a de facto standard, referenced by banks and regulators around the world. We began covering the sector in 2003, and are about to start work on our 3rd edition of the report. AML has not gone away as a concern for banks; indeed it has expanded, across both banking tiers (reaching down into community banks and credit unions in the US, for example) and across geographies (I recently spoke at an AML conference in Malaysia that drew over 500 delegates). The behavior detection technology that underpins AML software has also expanded its boundaries within the financial institution. Celent has been behind the “enterprise risk” approach, that is, consolidating AML and anti-fraud efforts, since our first AML report back in 2002. But until the last few years there were few real-life examples to point to. Recently, however, financial institutions have become increasingly concerned with fighting fraud, including fraud committed by customers as well as employee fraud. And a growing number of firms are beginning to take a wholistic approach to these issues. So this time around our report will take an enterprise risk approach as well, by including in our evaluation the anti-fraud products of the AML vendors. We’re calling it “Evaluating the Vendors of Enterprise Risk Management Solutions 2009.” We’ll be starting research on the report this month, beginning with qualifying vendors for inclusion in the report. The last edition evaluated 19 vendors and was 100 pages long. As the market has shifted, with new products emerging and others fading from sight, there may be some shuffling in order to keep the field of vendors representative of the marketplace. And although we are constantly looking at this space, we’d welcome any comments on vendors we should consider that we may have missed. As a reminder, the AML software providers evaluated in the 2006 edition of the report were: Accuity, Ace Software Solutions, ACI Worldwide, Actimize, ChoicePoint/Bridger Insight, Experian/Americas Software, Fortent/Searchspace, FircoSoft, LogicaCMG, Mantas, Metavante/Prime Associates, Fiserv/NetEconomy, Norkom Technologies, Northland Solutions, SAS Institute, Side International, STB Systems, Top Systems, Wolters Kluwer Financial Services/PCi

Integrating Fraud and AML: The Holy Grail of Compliance?

Financial institutions are overloaded with a panoply of onerous and expensive compliance regulations, from Basel II to IAS to BCP (one might also mention an overload of acronyms). The anti-money laundering (AML) programs required by regulators in the US and many other countries is a particular headache. Banks have invested many millions of dollars in AML technology alone, not to mention the personnel costs for the compliance teams and front-office staff training. Naturally, this has got banks to thinking about ways they can leverage this investment in compliance. One way forward could be to integrate their AML and anti-fraud efforts.

Banks complain a lot about the burden of AML compliance. But at the same time, they invest in and build anti-fraud systems (really not much different in kind than AML systems) quite willingly, since they naturally want to stop people from stealing money from them. In other words, anti-fraud is a business activity, with direct benefits to a bank’s bottom line. By combining anti-fraud and AML systems, therefore, banks could potentially get a business benefit from the “AML burden.” Indeed, a number of banks are moving in this direction, beginning with combining their faud and AML departments. A smaller number have started to integrate the technology systems as well.

Software vendors have for some years promoted the idea of using one technology platform (theirs, of course) for both AML and anti-fraud. In particular, a number of the larger AML vendors have developed anti-fraud products using their core behavior detection technologies. This potentially holds out the promise for banks of a sort of compliance holy grail: leveraging the compliance investment in AML for their anti-fraud efforts, and producing some tangible business results from the investment.