Security, fraud, and risk Model Bank profiles: Alfa Bank and USAA

Security, fraud, and risk Model Bank profiles: Alfa Bank and USAA

Banks have worked hard to manage the different risks across their institutions. It has been and will remain costly, time consuming and a top priority. Celent profiles two award-winning banks who have modelled excellence in their use of risk management technologies across their banks.

They demonstrated:

  1. Degree of innovation
  2. Degree of difficulty
  3. Measurable, quantitative business results achieved
(Left to right, Martin Pilecky, CIO Alfa-Bank; Gary McAlum, SVP Enterprise Security Group USAA; Joan McGowan, Senior Analyst Celent)

(Left to right, Martin Pilecky, CIO Alfa-Bank; Gary McAlum, SVP Enterprise Security Group USAA; Joan McGowan, Senior Analyst Celent)

ALFA-BANK: SETS THE STANDARDS FOR BASEL COMPLIANCE IN RUSSIA

Alfa-Bank built a centralized and robust credit risk platform to implement Basel II and III standards, simultaneously, under very tight local regulatory deadlines. The bank decided to centralize all corporate credit-risk information onto a single platform that connected to front office systems and processes. Using Misys FusionRisk, Alfa-Bank was able to implement a central default system with a risk rating and risk-weighted asset calculations engine. The initiative is seen as one of the most important initiatives in the bank’s history. The successful completion of the project has placed Alfa-Bank at the forefront for setting standards and best practice methodologies for capital management regulations for the Russian banking industry and Central Bank.

USAA: SECURITY SELFIE, NATIVE FINGERPRINT, AND VOICE SIGNATURE

The game-changer for USAA is to deliver flawless, contextual customer application services that are secured through less intrusive authentication options. The use of biometrics (fingerprint, facial and vocal) to access its mobile banking application positions USAA to be able to compete with Fintechs across the digital banking ecosystem and offer exceptional service to its military and family members.

USAA worked with Daon Inc. to provide biometric solutions paired with its “Quick Logon” dynamic security token technology, which is embedded in the USAA Mobile App for trusted mobile devices. Biometric and token validation focus on who the user is and who the verifiers are and it addresses increasing concerns around the high level of compromise of static user names, passwords, and predictable security questions from sophisticated phishing attacks, external data breaches, and off-the-shelf credential-stealing malware.

For more information on these initiatives, please see the case study abstract on our website.     

Large FIs spent $25M rolling out failed risk management frameworks during the 2000’s. So why try again?

Large FIs spent $25M rolling out failed risk management frameworks during the 2000’s. So why try again?
Large financial institutions spent in excess of $25 million on rolling out failed enterprise risk management frameworks during the 2000’s. So why try again? Well for many obvious reasons, the most notable of which has been the large scale failure of institutions to manage their risks and the well-editorialized consequences of those failures. The scale of fines for misconduct across financial services is staggering and damage to the banking industry’s reputation will be long-lasting. Major Control Failures in Financial Services blog Source: publicly available data Regulators and supervisors are determined to stop and reverse these risk failures, specifically, the poor behavior of many bankers. Regulators are demanding that the Board and executive management take full accountability for securing their institutions. And there is no room for failure. This is the only way that risks can be understood and, hence, managed across the enterprise. There is no denying that risk management frameworks are hard to implement but Celent believes the timing is right for the industry to not only secure their institutions and businesses but to innovate more safely and, slowly, win back the trust of their customers. My recently published report Governing Risk: A Top-Down Approach to Achieving Integrated Risk Management, offers a risk management taxonomy and governance framework that enables financial institution to address the myriad of risks it faces in a prioritized, structured and holistic way. It shows how strong governance by the Board is the foundation for a framework that delivers cohesive guidance, policies, procedures, and controls functions that align your firm’s risk appetite to returns and capital allocation decisions.

Payment infrastructures – do we care enough about their risks?

Payment infrastructures – do we care enough about their risks?

This week I attended one of The Financial Services Club events in London – a debate on whether payments infrastructure risk has been largely forgotten. The debate’s outcome was “no, it hasn’t been”, but the discussion raised some interesting points and provided a lot more colour to the answer.

The general consensus was that operational risks are well understood and mostly well managed. At least in the UK, the interbank infrastructures for BACS, CHAPS and Faster Payments schemes are very resilient with glitch events extremely rare. The very fact that the payments infrastructure works so well can lead to complacency and the impression that the risks they pose might be forgotten.

Layered resiliency is certainly one way of managing business continuity risk; the other is to have multiple providers with easy interchangeability between them – currently, that’s not the case in the UK, as the schemes are too different to just simply redirect say BACS traffic to Faster Payments infrastructure and vice versa. Could and should these schemes converge going forward?

On the other hand, liquidity risk certainly can generate shocks in the system. Do banks know how to manage counterparty risk from the operational perspective? What happens if one party cannot settle intraday? How do you know if and when to pay out? In crisis situation, is straight through processing (STP) really that good or would you rather approve outgoing payments manually?

Again, the participants were confident that banks would know what to do, but all agreed that many of them would rely on individual rather than institutional knowledge, i.e. on those deeply experienced people that all banks have somewhere deep in their payments and risk departments. But will this enough to satisfy FSA and other regulators? Banks have to take stress testing seriously and put their payments infrastructures through challenging but realistic scenarios to increase confidence in the whole system.

FFIEC Guidance on RDC Risk Management: Are We any Safer Now?

FFIEC Guidance on RDC Risk Management: Are We any Safer Now?
The Federal Financial Institutions Examination Council, FFIEC, issued its long-awaited guidance on remote deposit capture risk management in January 2009. The document clearly precipitated a flurry of activity among virtually every bank engaged in RDC. To many banks, the guidance was akin to raising the homeland security threat level from Green to Orange. RDC must be risky – I’d better do something! But a question arises now, some nine months since its release; did the guidance help banks better manage the risks associated with distributed capture? Are we any safer now? Celent offers two data points that suggest the FFIEC’s efforts, while well intentioned, did little to impact the operational readiness of banks’ RDC programs. What Really Matters Celent conducted a survey of US financial institutions in August 2009, generating 174 responses among RDC deploying banks, thrifts and credit unions. Respondents were a mix of product managers, executives, sales managers, operations and IT personnel. The survey sought to better understand the state of the industry and gauge future opportunity and adoption trends. One question asked respondents to rank various aspects of their RDC program in order of importance. The question was a forced ranking, so respondents couldn’t say that everything was important. The specific items on the list were drawn from multiple bank interviews that preceded the survey. The results were telling. With so much on their plates, and with so much unrealized opportunity in RDC, regulatory compliance was considered among the most important activities to be undertaken. Matters of customer service and reducing operational risk were judged to be less important. Interesting. The reported focus on regulatory compliance – second only to maximizing deposits (the very reason RDC exists for most banks) was reinforced in post survey telephone interviews. Banks have been so demonized by the press, administration and elected officials, the last thing banks need is any further risk of bad PR or regulatory punishment. Hence compliance is nearly Job #1.
Compliance Ranked a Close #2

Source: Celent FI survey, August 2009, n=174

What Specific Actions has the Guidance Caused? Another question in Celent’s August 2009 survey specifically asked: “What specific activities, if any, have you undertaken in response to the FFIEC guidance on RDC risk published in January 2009?” The question invited an open-ended response. Virtually every bank took action. A very small number of responding FIs asserted that no action was required because, after reading the guidance, they found themselves to be 100% in compliance. Hardly. The table below groups the open-ended responses and lists them in order of frequency. The top 3 actions account for the majority of responses. Specific Activities Undertaken as a Result of FFIEC Guidance • Reviewed and revised policies and procedures • Performed an internal risk assessment • Tightened up deposit services agreement for RDC • Ensured process and product in compliance • Implemented deposit limits and improved reporting • Implemented spot check of client retention and destruction procedures • Tightened underwriting • Increased security guidelines • Improved intra-day deposit review Source: Celent FI survey, August 2009, n=174 Thus, the FFIEC guidance has precipitated significant effort among thousands of banks – at great cost – to document and formalize what many banks were already doing. Tangible new efforts that would arguably identify and mitigate risk (deposit limits, improved reporting, intra-day deposit review, etc.) were relatively infrequent responses to the guidance. Hopefully, now that the dust has settled on the FFIEC guidance, financial institutions can get back to creating new ways to better serve their customers.