Banking Third Party Risk Management Requirements are a Big and Expensive Ask

Celent, through its work with Oliver Wyman, estimates the cost to US financial institutions of undertaking due diligence and assessment of new third party engagements to be ~ $750 million per year. Institutions are paying three times as much as their third party to complete on this exercise. The average cost to an institution to carry out due diligence and an assessment of a new critical third party engagement is $15,000 and takes the institution approximately 16 weeks to complete.

The top ten US banks average between 20,000 and 50,000 third party relationships. Of course, not all of these relationships are active or need extensive monitoring. But the slew of banking regulatory requirements for third party risk management is proving to be complex, all-consuming and expensive for both institutions and the third parties involved. In a nutshell, institutions are liable for risk events of their third and extended parties and ecosystems. The FDIC expresses best the sentiment of worldwide regulators:

“A bank’s use of third parties does not relinquish responsibility… but holds it to the same extent as if the activity were handled within the institution."

If an institution doesn’t tighten its third party risk management, it is significantly increasing the odds of a third party data breach or other risk event and will suffer the reputational and financial fallout.

In the first report of a two-part series, just published by Celent, “A Banker’s guide to Third Party Risk Management: Part One Strategic, Complex and Liable”, I show how institutions can take advantage of their established risk management practices such as the Three Lines of Defense governance model, and operational risk management processes to identify, monitor and manage the lifecycle of critical and high-risk third party engagements across functions and levels. It describes the components required for a best-practice program and shows examples of two strong operating risk models being used by the industry that incorporates third party risk management into the enterprisewide risk management program.

Unfortunately, there are few institutions that have successfully implemented strategic third party risk management programs. Most institutions fall between stage 1 and 2 of the four stages of Celent’s Third Party Risk Management Maturity Curve. But continuing to operate without a strategic third party risk management practice will leave your institution in the hands of cyber fate and the regulators.

Stop Throwing Money at Cybersecurity

cyber-operational-risk-150x1501 Most cyberattacks succeed because of weaknesses in people, processes, controls and operations. This is the definition of operational risk. Therefore, it makes sense to tackle cyber risk with the same tools you use to manage operational risk.

We continue to prove that the approach of the IT department managing cybersecurity is not working. Cyber risk is typically treated in parallel with other technology risks; the IT department is motivated to focus on securing the vulnerabilities of individual system components and proffers a micro view of security concerns.

My new Celent report on Treating Cyber Risk as an Operational Risk: Governance, Framework, Processes and Technologies”, discusses how financial institutions are advancing their cybersecurity practices by leveraging their existing operational risk frameworks to centralize, automate and streamline management, technologies, processes, and controls for a sounder and more resilient cybersecurity.

The report identifies and examines the steps required to achieve a risk-based approach to a sustainable and, ultimately, a measurable cyber risk management strategy:

1. Establish a long-term commitment to drive a top-down, risk-based approach to cybersecurity.

2. Recognize that the traditional approach of the IT department managing cybersecurity is limited and that most cyber risks are weaknesses in people, processes, controls, and operations.

3. If you have not already, consider deploying the NIST cybersecurity framework and tailor the framework to fit your individual cybersecurity requirements. The framework lets you take advantage of your current cybersecurity and operational risk language, processes and programs, industry standards and industry best practices. Both cyber and operational risk should be informed by and aligned with the institution’s enterprise-wide risk management framework.

4. Move your organization along the cybersecurity maturity curve by building dynamic risk models, based on shared industry data and assumptions, to measure and monitor cyber threats and pre-empt those attacks.

5. Stop throwing money at the problem. Educate decision-makers on why and how breaches happen. Do not purchase in siloes or under pressure, select the right expertise to identify the issues and carry out due diligence on products.

6. Use the NIST’s five functions to navigate and manage cybersecurity technology requirements and purchases.

7. Know what technology you want from your vendors; know what advice to seek from your consultants.

8. Acknowledge that cybersecurity is the responsibility of every employee and human behavior is the most basic line of defense. Institutions cannot hesitate in the goal to educate their employees, third parties and customers.

Brexit. Eventually. Possibly.

What did Britain say to its trade partners?

See EU later.

It’s been a funny week or two to say the least, so it seemed apposite to start with a joke (and we’re not talking about the England vs Iceland result! – the Icelandic commentator is worth a 30sec listen.)

The UK woke up to find that it was leaving Europe. Given the legendary British reserve, stiff upper lip, etc., it is quite incredible just how divided the country has become, and how everyone has an opinion. As a result, there has been a lot said before, during and after the campaign that needs to be sifted very carefully. This is a genuine attempt at a factual look at quite what this means as many of the facts are very definitely not facts.

What's actually going to happen? Frankly, the short answer is nobody actually knows. No country has ever left before. Greenland did but is both smaller and was leaving for other reasons. Nor did they invoke Article 50 (more of which in a second) which has never been used. Whilst there are some legal guidelines and processes, given that the European Union is an economic union governed by politicians, it’s fair to say that the process will be very political in nature. Particularly as Article 50 is not very precise.

The first step is for the UK to activate Article 50 which effectively formally starts the process. The UK has two years from informing the European Parliament that it intends to leave and actually signing article 50. Given other European elections, and despite some public calls from Europe to get on with it, some believe that it is likely to be later rather than sooner.

Until Article 50 is signed, the UK is still in Europe, and everything continues as they do today. What is less clear is when Article 50 is signed, what happens next, and how long the process will take. UK Government analyst suggests 5 years, yet others say at least a decade.

Nor is it yet clear what the UK will choose to negotiate on. For example, it may choose, voluntarily to adopt regulation such as PSD2. We (or, to be clear, Gareth) believe that the UK will push ahead with the PSD2, as many of the rules are either in place in the UK already, or reflect the way the Government is thinking e.g. the Open Data Initiative arguably is far wider reaching that the Access to Accounts element of the PSD2.

It’s not clear quite what is or isn’t the European Union necessarily. For example, passporting, the rule that allows financial services firms to be licenced in one country and operate in another, is actually (according to the Bank of England website at leastother reputable sites even disagree on this!), an European Economic Area (EEA) initiative, and even countries outside of the EEA, such as Switzerland, have negotiated deals. This is particularly key for card acquirers, many of whom use their UK licence to negate the need for local ones across Europe.

So, as they saying goes, the devil will be in the detail. And that’s going to take time to unravel, and to negotiate even on the things that need negotiating.

Over the coming months, banks will need to scenario plan on multiple dimensions. They will need to identify key regulations that impact their business, how that might be regulated, and how long it would take the bank to respond. Yet many, if not most banks, will have done some of this risk profiling before the vote took place.

Until there is clarity, the reality is that it’s the political fall-out is going to have the most impact in the short-term, itself creating a degree of additional economic turmoil.

Security, fraud, and risk Model Bank profiles: Alfa Bank and USAA

Banks have worked hard to manage the different risks across their institutions. It has been and will remain costly, time consuming and a top priority. Celent profiles two award-winning banks who have modelled excellence in their use of risk management technologies across their banks.

They demonstrated:

  1. Degree of innovation
  2. Degree of difficulty
  3. Measurable, quantitative business results achieved
(Left to right, Martin Pilecky, CIO Alfa-Bank; Gary McAlum, SVP Enterprise Security Group USAA; Joan McGowan, Senior Analyst Celent)

(Left to right, Martin Pilecky, CIO Alfa-Bank; Gary McAlum, SVP Enterprise Security Group USAA; Joan McGowan, Senior Analyst Celent)


Alfa-Bank built a centralized and robust credit risk platform to implement Basel II and III standards, simultaneously, under very tight local regulatory deadlines. The bank decided to centralize all corporate credit-risk information onto a single platform that connected to front office systems and processes. Using Misys FusionRisk, Alfa-Bank was able to implement a central default system with a risk rating and risk-weighted asset calculations engine. The initiative is seen as one of the most important initiatives in the bank’s history. The successful completion of the project has placed Alfa-Bank at the forefront for setting standards and best practice methodologies for capital management regulations for the Russian banking industry and Central Bank.


The game-changer for USAA is to deliver flawless, contextual customer application services that are secured through less intrusive authentication options. The use of biometrics (fingerprint, facial and vocal) to access its mobile banking application positions USAA to be able to compete with Fintechs across the digital banking ecosystem and offer exceptional service to its military and family members.

USAA worked with Daon Inc. to provide biometric solutions paired with its “Quick Logon” dynamic security token technology, which is embedded in the USAA Mobile App for trusted mobile devices. Biometric and token validation focus on who the user is and who the verifiers are and it addresses increasing concerns around the high level of compromise of static user names, passwords, and predictable security questions from sophisticated phishing attacks, external data breaches, and off-the-shelf credential-stealing malware.

For more information on these initiatives, please see the case study abstract on our website.     

The new 4 C’s of commercial lending

Last week, I participated in a Finextra webinar on the topic of “Connected Credit and Compliance for Lending Growth” with panelists from ING, Vertus Partners, Misys and Credits Vision.  As I prepared for the webinar, I thought back to my first exposure to commercial lending when I worked for a large regional bank and I recalled the 4C’s of commercial lending from credit training:  character, capacity, capital and collateral.  All of those original 4C’s are still relevant in today’s environment when evaluating borrowers, but when considering the state of the commercial lending business in 2016, we need to think about an entirely new set of 4C’s:
  • Constraints on capital and liquidity
  • Cost of compliance
  • Changing client expectations
  • Competition from new entrants
On a global basis, banks are being forced to restructure their business models, technology platforms, and organizational processes in order to grow their portfolios, remain profitable, and stay in the good graces of their regulators.  All the while, meeting the evolving demands of clients who can view and manage their personal finances on demand, at their convenience, using the device of their choice. Despite these challenges, the panel remains optimistic that banks can and will evolve to grow this critical line of business. finance590x290_0 Where does this optimism comes from? Alternative lenders provide both a threat and an opportunity for banks as they make the difficult decisions on whether and how to serve a particular segment of the commercial lending market. Fintech partners offer more modern solutions than the decades-old clunkers that many banks still use; providing for more efficient and accurate decisioning, enhanced visibility and processing within the bank, and where appropriate, self-service capabilities.  Connectivity with clients and partners will increasingly be the hallmark of a successful commercial lender. For more insights from the panel, please register for the on-demand version of the webinar here: Finextra: Connected Credit and Compliance for Lending Growth.  

Increasing headwinds in corporate banking?

This week I’m in Singapore, which provides a beautiful backdrop for Sibos 2015, the annual conference that brings together thousands of business leaders, decision makers and topic experts from a range of financial institutions, market infrastructures, multinational corporations and technology partners.


This year’s conference theme is connect, debate and collaborate and takes place at a time of increasing headwinds from a slowing global economy, higher compliance costs, increasingly global corporates, and competition from both banks and nonbanks alike. I spent the past few months taking a deep dive into corporate banking performance over the past 10 years–a period of both tremendous growth and unprecedented upheaval. As expected, corporate banking operating income and customer deposit balances have experienced healthy growth rates over the past 10 years. But surprisingly, despite increases in customer deposits, corporate banking income was largely stagnant over the past few years.

Corporate Banking Income and Deposits

Corporate banking plays a dominant role for the largest global banks. In 2014, corporate banking was responsible for 33% of overall operating income and 38% of customer deposits across the 20 banks included in this analysis.

As outlined in the new Celent report, Corporate Banking: Driving Growth in the Face of Increasing Headwinds, this critical banking sector is shaped by four external forces: economic conditions, the regulatory environment, business demographics, and financial technology. These same factors are slowing corporate banking growth and creating an environment in which banks are overhauling client offerings in the face of regulatory pressure, re-evaluating geographic footprints in response to shifting trade flows, and investing in technologies to ensure a consistent, integrated customer experience.

Much of the discussion at Sibos is on exploring transformation in the face of disruption. As they look to an unsettled future, corporate banks that are flexible, adaptable, and creative will be the ones that succeed. Changing time-tested ways of doing business is painful, but critical for future success.

Paying banks to take your money — huh?

Corporations have historically parked excess cash in their demand deposit accounts to take advantage of earnings credit allowances. Each month, the bank calculates the earnings allowance for a client’s accounts by applying an earnings credit rate to available balances. The earnings allowance is then used to offset the cost of cash management services. In the United States, corporates got the option of earning interest in money market accounts with the repeal of Req Q by Dodd Frank. The Liquidity Coverage Ratio (LCR) provisions of Basel III and the advent of negative interest rates in some European countries are upending traditional cash flow management for banks and their corporate and institutional clients. The LCR requires large and internationally active banks to meet standard liquidity requirements. It makes assumptions for deposit runoff in times of financial stress, resulting in a liquidity squeeze. Banks must hold enough high quality, liquid assets (HQLA) to fund their operations during a 30-day stress period. Examples of high quality assets include central bank reserves and government and corporate bond debt. The phase-in of the LCR started on January 1, 2015. It requires banks to distinguish between two types of short-term (30 days or less) deposits. Operational deposits include working capital and cash held for transactional purposes. Non-operational balances are other cash balances not immediately required and assumed to be investments; such as short-term time deposits with a maturity of 30 days or less and accounts with transaction limitations, such as money market deposit accounts. Non-operating/excess balances are assigned a 40% runoff rate for corporations and government entities and 100% for financial institutions, making them the least valuable to banks. As a result, corporates with non-operational cash investments may find it difficult to place in overnight investment vehicles. Many banks are reducing their non-operating deposits either by encouraging corporates to place their funds elsewhere, or by creating new investment products such as 31+ day CDs, money market funds and repurchase agreements to avoid the LCR charge on excess balances. Similarly, corporates also face a risk of higher costs for committed lines of credit which also require more Basel III capital to be held by banks. Bank demand for HQLA in the form of central bank reserves along with European fiscal policy has pushed central bank interest rates into negative territory for the safest monetary havens (Sweden and Switzerland). In other countries with central bank rates hovering near zero, once you take the inflation rate into consideration, those rates are negative as well (ECB and Denmark). Central Bank Interest Rates Central banks had hoped that negative interest rates would encourage commercial banks to increase lending, but there’s only been a slight increase in outstanding loan balances. Financial institution clients are hardest hit by central bank negative interest rates, particularly deposits in Euros, Swiss francs, Danish crowns and Swedish crowns. Many global banks are charging “balance sheet utilization fees” or other deposit fees. For corporate clients, savvy banks are taking a collaborative approach—working with corporate treasurers to educate them on the impact of regulatory and economic forces on their cash management and investment decisions and advising them on the available options.

The next step in European ACH competition?

Yesterday saw very interesting news coming out of Europe regarding a joint venture between 6 European ACHs.  To understand why many of us have sat up and taken VERY close interest in the announcement, we need to review some recent history first. Much of this will be covered in more detail in a forthcoming report on ACHs. In the very early days of SEPA, the European Commission made many public comments. As SEPA was as much a political goal as anything, many of these were observations on how the Commission thought the market ought to develop. Given the size of the task and the perceived reluctance to the banks to do anything about SEPA, the Commission narrowed down the observations to a set of specific requirements, eventually culminating in the regulations that made migration mandatory in Euro countries. The downside is that some of the initial elements triggered some activity, but they were never fully pushed through. One such item was the Commissions perceiving their to be an over-supply in payments processors. In the Commissions view, a single market would reduce the 50+ processors to between 5 and 7. That would be enough for a competitive market, but not so many for an inefficient market. The latter stance is based on the fact that processing is broadly a fixed cost business and so the larger the volumes processed, the cheaper the cost per transaction is to process. As a result of this statement was a flurry of activity amongst the ACHs to be one of the “survivors”. It triggered a wave of mergers (Equens is a German/Dutch/Italian merger for example), near mergers (everyone courted everyone else!) and direct approaches to banks and markets to acquire them as customers and boost volumes. But whilst there were mergers, the market broadly remained unchanged. Indeed, some markets chose to build their own SEPA compliant ACH, rather than use the services of a SEPA-ready ACH. There are many reasons for this, not least ownership and control. The announcement yesterday therefore was very significant. At face value, 6 ACHs are going to collaboratively process cross-border SEPA payments. Given the tiny volumes, this isn’t exciting. However, dig deeper, and it becomes clear that Equens – arguably the largest ACH in Europe – is providing all the infrastructure and services to the new company, and the new joint entity company is registered at… Equens HQ. Those other 5 ACHs are considerably smaller – their volumes combined are still dwarfed by Equens. Secondly – it’s for cross-border SEPA payments today but mentions possibly delivering the real-time payments interoperability that’ll be required going forward. That means more ad more services that will be offered by Equens to these other ACHs. It’s particularly noteworthy as many believe that EBA Clearing has been positioning itself to provide exactly that service, and has been leading the discussions. The third point is a broader one. There has been considerably more talk in the last few months about processing, given various elements of PSD2. It’s not yet clear whether the scheme/processor split will apply to “just” card companies, particularly when some of the ACHs process cards. A number of organisations have also mooted whether the XS2A provision potentially provides a way to bypass ACHs – that is break the connection between bank and ACH. Given the range of potential impacts, it seems likely that there will at least some impact. Finally, we are aware of more than one discussion in Europe about the future of that countries ACH, particularly as they ponder on how to deliver a real-time payments solution for that country. All bets are off. The net result suggests to me that we’re entering new phase for payments processors, particulalrly ACH, which has been a relatively stable market for many years. The industry – and technology – is in a very different place than when the discussions happened in c. 2005. What made sense then may not make sense now. We believe that the announcement yesterday will be just the first of a number over the next 2 years. The phrases exciting times and ACHs can be at last mentioned in the same sentence!

On the cusp: regional integration in Asia

It’s 2015, the mid-point of the decade and a good time to start looking at major trends in Asian financial services over the next five to ten years. One of the major themes will be regional integration, which is another way of saying the development of cross-border markets. There are at least two important threads here: the ongoing internationalization of China’s currency, and the development of the ASEAN Economic Community (AEC) in Southeast Asia. RMB internalization is really about the loosening of China’s capital controls and its full-fledged integration into the world economy. And everyone seems to want a piece of this action, including near neighbors such as Singapore who are vying with Hong Kong to be the world’s financial gateway to China. The AEC is well on its way to becoming a reality in 2015, with far-reaching trade agreements designed to facilitate cross-border expansion of dozens of services industries, including financial sectors. While AEC is not grabbing global headlines the way China does, we see increasing interest in Southeast Asia among our FSI and technology vendor clients. From Celent’s point of view, both trends will open significant opportunities across financial services. In banking, common payments platforms and cross-border clearing. In capital markets, cross-border trading platforms for listed and even OTC products. In insurance, the continued development of regional markets. Financial institutions will be challenged to create new business models and technology strategies to extract the opportunities offered by regional integration. It’s the mid-point of the decade, and the beginning of something very big.

IPS 2014 Roundup

So you’ll have gathered from recent blog posts that it’s conference season. This is the first of a few posts rounding up some of my recent events. This post is about International Payments Summit (IPS) which took place last month. Jacob mentioned in his Finovate post that he ensures that he attends as many sessions as possible – IPS is very much turning into my equivalent. I wrote last year about my return to the event after a long absence. This year didn’t disappoint either. For me, there is a great mixture of depth but also variety, with many speakers I’d not seen before. It’s not a cheap show, but content wise, worthwhile. If I had to make some suggestions, I’d suggest perhaps fewer 20min presentations. Whilst I can think of one speaker where that was probably 18m too long, there were some others who deserved longer. Lots of notes and things to follow-up on, but two themes really stood out. 1)      Innovation. Some great presentations, some challenging ideas. For me, the most provocative was from Mark Stevenson, of Flow Associates. The famous baseball player Yogi Berra once famously said “The future ain’t what it used to be”. Mark left me feeling somewhat like that! I can’t do his presentation justice here, but from the advent of cheap solar power to impact of 3D printers, the picture of the world that Mark painted was necessarily, radically different than the world of today. But effectively the punch line to the presentation was that this future was not 50 years away, but only 5. Scary, scary thoughts ensued as we thought this through! 2)      Regulation. The second day of the conference fell the night after the second draft of the PSD2 was voted upon in Brussels. The speaker had attended the session, and then hot-footed it to London – content can’t get much fresher! But across the conference, there were some very deep, technical discussions, which even I struggled with at times. Regulation seems to be getting ever more complex and specialised. The conference closed with the panel that I sat on, where we summarised the key points of the conference. My take away was labelled “Mind the gap”. I was particularly struck about how little overlap there was between the innovation and regulation discussions, and noticeably, how they were moving further apart. It would seem, considering the sheer volume of regulation that banks face, an obvious place for innovation to take place.