The past decade has witnessed great advancement of technologies, emerging tools and evolving business models in banking. How would these changes impact the Enterprise Risk Management (ERM) of banks in the coming years? Here are some thoughts on the evolving risk landscape.
IT System Risk has greater consequences than ever
More and more digital banks and fintechs have emerged who provide their products and services entirely via Internet and apps. The traditional financial institutions have also invested heavily in digital banking while reducing branch footprints, in order to adapt to the changing customer behaviors.
With multiple IT systems and constant updates, it is paramount to ensure the continuous operation of these systems. Any failure could lead to inconvenient or even disastrous consequences.
In Oct 2019, the challenger bank Chime experienced a payment processor issue, which took its website and app offline for almost 24 hours and denied its customers’ access to funds. This is a scenario no bank wants to see.
Thus, it is important to have recovery plans for all mission critical systems, some of which require well coordination with external service providers. Alternate communication plans need to be in place, for both customers and employees. For major IT projects, adequate resources need to be allocated and proper testing procedure to be followed – this is not a place to cut corners even as banks strive to be agile and achieve greater efficiency.
Data Security issue persists and evolves
In recent years, high profile data breach incidents have not stopped hitting the news headlines. With a large quantity of personal information already breached, the industry has begun to see the adoption of biometrics based identification and authentication.
While biometrics such as fingerprint and voice add additional security, these are also new data elements that banks need to closely guard. Hackers already have their eyes set on these biometric databases.
Another trend in the industry is that banks begin to move data centers into the cloud, whose providers usually possess great security expertise. However, the data security risk for banks does not disappear.
Capital One, who fully embraces public cloud services, experienced a data breach of 106 million customers from both US and Canada last year, due to the misconduct of an AWS employee.
No matter where the data physically resides, the bank – as the owner of the data - is still ultimately responsible for data security. Working with the cloud provider to safeguard the data, from both external and internal threats, should be an integral part of a bank’s ERM plan.
Banks’ customer identification and verification methods need to be solid. As more payments are flowing in the digital world, you want to ensure they are initiated by the true customers
The reality is that the large amount of consumer data makes banks primary targets of data thieves. Besides managing the privilege access to critical data and systems, a holistic data security incident response plan should always be ready, in case the unfortunate event happens. It is also a good idea to regularly evaluate data breach insurance policies against latest cyber-attack schemes, especially for smaller banks.
Third Party Risk Management in a more connected ecosystem
If North America follows the trend elsewhere in the world, open banking will eventually arrive and produce more innovative financial products for consumers to choose.
The year of 2019 has witnessed several collaborations between big techs and big banks. In Jan 2020, VISA’s $5.3 billion acquisition of data aggregator Plaid had everyone talking. These are all signs that new players are gradually being integrated into the traditional banking world.
As banking system becomes more connected and intertwined, there are also more entry points for cyber criminals. In this environment, a bank’s security control is only as strong as its weakest partner’s.
Thus a bank needs to review what data is being shared with third parties. Different types of data require different security and access controls. Recently PNC blocked data aggregators from accessing customers’ account numbers and routing numbers due to security concern. Chase asked aggregators to use tokens instead of passwords to access consumer account information. Similar actions are expected to happen at more banks this year.
It is also important to review third parties’ security measures before they are given access to the bank’s platform. Besides vetting at onboarding stage, ongoing monitoring and assessment are equally important. Strong controls should be in place to timely and effectively detect fraud attacks in case a third party is compromised.
As all stakeholders’ security interests are closely aligned in the ecosystem, it makes sense for banks, fintechs and regulators to collaborate on common security standards and register trusted third parties.
With technology advancement and demands from clients, more products enabling faster and cheaper payments have emerged. ACH’s same day batch, The Clearing House’s Real Time Payments, and Facebook’s controversial LIBRA are a few examples.
While banks meet customers’ demands with fast payments, they are also facing increasing payment fraud that comes along. As the window between sending a payment and its actual posting disappears and payments starts to move 24x7x365, fraud detection and control need to be enhanced and automated accordingly.
Banks’ customer identification and verification methods need to be solid. As more payments are flowing in the digital world, you want to ensure they are initiated by the true customers.
Another challenge is the authorized push payments fraud, which is often associated with scams. It is more difficult to detect as the real customer initiates the payment under the manipulation of scammers.
In this case, customers need to be engaged as an important part of the defense. Education of customers against various types of scams, in combination with behavior analysis and alert system would help mitigate such fraud risk.
The past decade has seen the banking industry enhanced their risk management capabilities. The evolving technology landscape has presented both opportunities and challenges to risk management professionals in the industry. Harnessing technology effectively and integrating the technology plan into the overall ERM will help the bank safely navigate through the next decade.