Emerging risks facing the financial services industry
June 2015 | EXPERT BRIEFING | RISK MANAGEMENT
Financial institutions find themselves to be continually exposed to a variety of global landscapes – all of which are driven by the economic, geopolitical, technological, sociopolitical and environmental realms in which they operate. These varying landscapes serve to expose organisations to an accumulation of rapidly changing risks that must be managed in order to mitigate the threats to a firm’s performance. Having the tools and capabilities to be prepared and respond appropriately to new developments from these evolving and changing dimensions is crucial for all industry sectors – but especially within the financial services arena. The impact of the 2007-2010 global financial crisis that arose from easy credit conditions, predatory lending practices and insufficient risk pricing created a range of systemic attributes that subsequently has led to new regulatory initiatives which global financial service firms are now racing to meet. At the same time, these firms continue to be exposed to new trends and risks that still have to be managed under an enterprise risk management (ERM) framework. Although this is not unique to any one particular entity doing business in a multi-dimensional environment, it can nonetheless lead to additional risks that have yet to be identified, but which have systemic reach across the global terrain.
A sound structure that can be applied to identifying emerging risks as part of the enterprise risk management process are the guidelines established and advocated by the World Economic Forum. As the architect of the annual World Economic Forum (WEF) Global Risks Report, now in its tenth edition, financial entities can attain a granular analysis of emerging risks and provide a comprehensive agenda to support their risk management processes. In other words, organisations must look at and be prepared for the continuum of risks that encompass not only known and unknown risks, but also those that are ‘unknowable’ or that require elements of ‘black swan’ management. Having a structure to assess the radar for a broad range of risks according to the source, risk type, risk characteristics and manner in which the risks have manifested can serve as a tool to identify and manage risks that are both systemic and interconnected across countries and sectors.
Among the emerging risks facing financial institutions today that are systemic and interconnected across global landscapes are the compliance governing and risk management practices. Another risk that has been developing for quite time but has quickly become a serious industry threat is that of cyber security. While it should be noted that the foregoing risks represent developing trends that have evolved with both the challenges and opportunities driving the industry, they are not exhaustive of all the emerging risk factors that are moving the industry forward. However, they do represent some of the essential trends and developments that are presently preoccupying the sector.
Compliance governing and risk management practices are presently driving the industry as a result of the Dodd-Frank Act, which is based on a compilation of federal regulatory mandates. Passed by the Obama administration in 2010, Dodd-Frank essentially empowers the federal government to heavily monitor and scrutinise the financial services industry with an abundance of regulatory requirements. Among these requirements are the Enhanced Prudential Standards (EPS), which strengthens the supervision and regulation of large US bank holding companies and foreign banking organisations.
Specifically, the standards place stricter risk management practices on banks, pertaining to their vendors and third-party service providers, particularly in terms of vendor access to confidential client information. The EPS also seeks to provide greater consumer protection for residential mortgages, auto loans and other consumer related financing services. A new aspect of the EPS is that of resolution planning for what is defined as Systemically Important Financial Institutions (SIFIs). These are entities considered to have a systemic impact on the industry, and therefore are deemed to require a ‘living will’. As an SIFI, the ‘living will’ is designed for the institution to have a prepared response whereby in the event of a catastrophic crisis that spans the globe, a plan of action will be in place that details how the firm will dissolve itself rather than rely on the government to bail it out of a crisis.
Restricted investments are another aspect of the EPS, whereby proprietary trading will cease and institutions will be limited in the type of investments that they can undertake on behalf of their clients, especially when such investments do not benefit the customers. While compliance with reducing such investment activities may prove to be costly to firms, one benefit that has occurred as a consequence is the increased focus that is being made on the industry’s need to improve upon its IT infrastructure. The EPS requires financial entities to effectively monitor data quality and analysis practices, which will hopefully serve as the catalyst to further mitigate against insolvency exposure with effective liquidity, risk management and capital positions. This will need to be demonstrated by aggregating risk and having the capability to analyse data across the enterprise so that senior management can effectively aggregate and report risk in a timely and accurate manner.
The landscape for cyber security has not only become more complex with the increasing professionalism of hackers but also from the volume of hacking participants, including organised crime factions, nation states and so-called hacktivists. Exposure to cyber security has in many cases resulted in financial institutions becoming hostages to attacks as they engage in cat and mouse games with attackers. Despite the investments that have been made thus far to combat this threat, including hiring Chief Information Security Officers (CISOs) at some banks, a gap still remains in the amount of influence that these officers can actually bring to the organisation. Without incorporating CISOs into the overall corporate strategy and culture, the influence of top security personnel will nonetheless be limited if they remain unaware of when their concerns are overshadowed by the business or when their findings and objectives are not included in the firm’s overall organisational strategy. CISOs therefore need to have the power to determine the appropriate security technologies that should be purchased in alignment with the bank’s strategy.
Financial enterprises should therefore look at a broad range of advanced solution providers as well as change how spending is being made to combat such attacks. In lieu of spending on antivirus and firewalls as the response has historically been, firms need to respond to this risk by considering security technologies that safely run potentially malicious files to make sure they are safe as well as leverage malware behaviour data and threat intelligence when monitoring network activities for signs of anomalies. Companies should also develop a risk strategy that focuses on the inherent risks from data entry points for VPNs, wireless networks and personal device programs to mitigate the impact from having inadequate responses to cyber security attacks and access to confidential client information. Failure to meet these governing mandates as they pertain to cyber security attacks may lead to fines and penalties, and could potentially result in regulatory bodies seeking to impose limitations on future expansion and business activities.
JoEtta Colquitt is an Enterprise Risk Management Subject Manager Expert at Capgemini Financial Services. She can be contacted on +1 (646) 678 9971 or by email at email@example.com.
© Financier Worldwide
Capgemini Financial Services