Over the last few years non-financial risk has leapt up banks’ agendas. But many banks are unprepared to deal with the threats.
Since 2008, many banks have focused on financial risk. The result is that many now don’t know how to reassure their boards and regulators that non-financial risk is also under control. Technology is increasingly the key to solving their problems.
From financial to non-financial risk
While there were undoubtedly a number of causes for the 2008 financial crisis, in response, regulators understandably focused on managing financial risk.
They concentrated on ensuring banks properly assessed and categorised the risks of losing money on loans and other financial assets – and that they had sufficient capital buffers to take on these losses comfortably. This is what the regulators in the US, Europe, and the UK have been doing by running stress tests over the last few years.
But recently regulators and banks have increasingly turned their attention towards non-financial risk. In its most familiar form, non-financial risks are compliance and monitoring failures, such as failing to detect and stop rogue traders or money laundering activity. But it can also include more mundane things like technology failures and operational mistakes.
These types of risks will continue to rise in importance. Banks have already started to double down, and focus. For example, in 2015, 89 per cent of bank senior management and boards reported that they would be focusing more on non-financial risks over the coming year.
Non-financial risk now matters more
This renewed focus has been caused by a combination of factors. First, the further we get away from the financial crash, the more banks and regulators have done to mitigate and overcome the financial risks that caused the crash.
Many of the regulations that have come into application recently, from BASEL to MiFID, have put a line under financial risks – and have provided regulators with more psychological security. Regulators now feel that financial risk is under control, whether or not it actually is.
In addition, there’s a new-found public and media interest in banks – the whole industry is under much greater public scrutiny. And that’s changing the whole dynamic. One of the most damaging elements of non-financial risk is not the monetary loss – although that is high too – but the reputational cost. Today, hardly a week goes by without one of the biggest UK or international newspapers focused on a different and highly damaging mis-selling or compliance scandal.
New compliance structures can only get us so far
In the past, it was sometimes difficult to place blame for non-financial compliance failures. They were viewed as collateral damage – just something that happens. But thanks to the media, this attitude is no longer acceptable. To solve, or mitigate, these non-financial challenges, many banks have therefore given their compliance managers additional explicit responsibility for these risks – alongside the more well-known financial ones.
Many banks have also added additional compliance structures to their risk management teams. In particular, they’ve recognised that the majority of non-financial failures occur because of the lack of oversight; things simply falling through the gaps. In order to address this, they’ve added to the headcount, and increasingly added so-called CST units – or Central Supervision Teams.
The core responsibility of these new teams is to assist supervisors with assessing issues, designing controls, executing supervisory processes, and monitoring non-financial risks. They provide a new, independent, advisory line of defense. A new, additional filter.
Banks have also increasingly extended the risk and compliance monitoring responsibilities of other departments within the bank. For example, many banks have given their HR department the explicit responsibility for finding so-called 'bad eggs', and also tasked them with creating and enforcing a more ethical culture.
But this is clearly not enough. The headlines keep coming, and the distrust in banks keeps growing. In fact, I wrote an article recently about the fact that half of the general public still do not think banks are regulated enough.
Technology is a key solution
The key problem is that compliance departments are already significantly overstretched. The global, 24/7 economy has caused a huge acceleration in business. There are so many more transactions to monitor – millions upon millions per day. There are countless more clients to watch, and employees to keep an eye out for. Adding on an additional line of support for compliance staff is helpful, but it pales in comparison to the radical increase in the amount of work streams that must be watched.
Many compliance departments have also been kept busy by the escalating levels of new regulation. Regulators around the world have been on overdrive. From MiFID II to GDPR, the new regulations just keep coming. And this is only set to get worse as many banks are hit by a regulatory hurricane from Brexit.
Technology has played a big role in helping deal with financial risk. The latest tech and algorithms let banks assess and monitor the financial risk, and interconnectedness, of their assets. And it’s been keenly adopted to help banks stay in control. The regulators have also used very complex, advanced AI and modeling software to predict the outcome of another financial crash.
But this same level of technology has not been applied yet on the non-financial side. If banks want to stay on top of non-financial risk in the future – and they must – technology will be critical to unleashing resource in compliance departments to monitor and effectively manage non-financial risk. This needs to be done, and as banks and regulators continue to focus on non-financial risk, it will be done.
Technology offers compliance departments the latest AI and monitoring tools to track regulations. It provides compliance staff with quick, actionable information and the step they need to take to implement new regulatory packages. It empowers them with the latest monitoring software; letting them automatically filter through the noise and pick up suspicious activity and signals among both clients and employees using big data.
But tech implementation won't necessarily be easy. It could mean whole new data structures to make sure that this technology has all the information it needs to pick up suspicious signals. This is why a number of banks still haven't brought in this new tech; it's expensive. But it must be done.
As regulators and banks turn to non-financial risk, banks need to make sure they commit the additional money to invest in technology to solve many of these problems. Adding people will not be enough to secure their future.