The global financial services sector is undergoing an era of technological transformation and deep change in the competitive landscape, with new agile entrants putting pressure on incumbent margins, creating yet more challenges for regulators
Today , central regulators are called to balance their need to maintain improved capital bases by ensuring the profitability of systemically important institutions. The focus on operational and technology resilience has become a major area of concern for risk officers and boards since 2016 to date. The risk strategy agenda observed since then includes addressing new challenges, such as the cloud, data privacy and the inclusion of climate risk into financial risks.
In the US, cybersecurity requirements for financial services companies and a cybersecurity framework were released in 2017 and 2018 respectively. In Europe, the General Data Protection Regulation (GDPR) and a cyber resilience testing framework for significant market participants entered into force in 2018 and 2019. The UK authorities issued a discussion paper on building the UK financial sector’s operational resilience in 2018.
The Monetary Authority of Singapore issued proposed revisions to guidelines on business continuity management and the Australian Securities and Investment Commission updated its market integrity rules to promote technological and operational resilience, both in 2019. In other words, the focus is on operational risks.
The 2019 Financial Stability Board report on FinTech and market structure in financial services, stresses that albeit the current reliance by financial institutions on third-party data service providers (e.g. data provision, cloud storage and analytics, and physical connectivity) for core operations is currently estimated to be low, it is predicted to increase going forward. If high reliance were to emerge, along with a high degree of concentration among service providers, then an operational failure, cyber incident, or insolvency could disrupt the activities of multiple financial institutions. Thus, while increased reliance on third-party providers specialising in cloud services may reduce operational risk at the individual firm level (idiosyncratic risk), it could also pose new risks and challenges for the financial system as a whole, particularly if risks are not appropriately managed at the firm level, and if the complexities and interconnectedness of third parties and their usage continue to grow
Overcast & cloudy outlook?
The concern is clear: as the dependency of financial operators on third-party services increases, so does the exposure to their vulnerabilities and risks. Technology, data and cloud services providers that cater to a large clientele within the industry, carry high concentration risks and potentially bring systemic impacts for their outages.
Given this perspective, how can technology support firms to boost their resilience? How can financial institutions make sure that third- party providers maintain expected levels of reliability over time?
The answer should be investigated in the way today that firms analyse their data to get information to address their risk mitigation strategies, in this case when opening and maintaining business relationships with third parties.
From the selection and monitoring perspective, the current approach is point-in-time-focused, which means that compliance leaders attempt to identify potential third-party risks upfront with extensive due diligence before contracting and again at recertification. This approach is deemed largely ineffective as it contributes to longer onboarding and waiting periods, failing to capture any risks that may arise due to ongoing changes throughout the relationship.
A shift from point-in-time-focused to a data-driven iterative approach to risk management would allow legal and compliance officers to improve their outcomes and effectiveness by identifying third party risks before they actually materialise. This approach requires some information to be learned prior to contracting with the third party, but places greater emphasis on continued learning over the course of the third-party relationship.
As the analysis becomes data-driven, technology comes to help with Artificial Intelligence algorithms within the due diligence setup (where AI can support in the identification of the compliance-check questions that are actually required, based on relevant laws and regulations), in the review of the existing data sources (in the exercise of retrieving information on current and past third-party incidents or potential risk incidents, based on industry data, relevant hotline data and previous risk and internal audit reports).
As a good operational risk strategy is based on timely and accurate prediction of possible risk events and impacts, and considering the large amount of data that needs to be retrieved and analysed, it is clear that the aid provided by automation is no longer an option.
A new operational approach
Last but not least, it is worth mentioning that a new operational approach, entailing the adoption of new technology, brings transformation challenges that need to be properly addressed within the organisation with adequate change management strategies that involve people, processes and procedures.
While the use of technology to evaluate and monitor third parties is the first step, diversification becomes paramount especially in the reliance on cloud services.
As part of diversification strategy, according to the 2019 Enterprise Cloud Index report, financial services today has outpaced all other industries in the adoption of hybrid cloud (defined as a cloud computing environment that uses a mix of on-premises, private, third-party and public cloud services), reaching 21% penetration, compared to a global average of 18%.
Whilst most financial services firms have adopted some form of hybrid cloud, the focus is now turning to multi-cloud. The definition of multi-cloud is broadly discussed, it could be where more than one of the public cloud providers are used by a firm, with each being used for specific workload types, or it could be where the same workloads are run across multiple public cloud providers. Examples of solutions on the market are given from Google and Microsoft, which released in 2019 their hybrid-multi cloud products Google Cloud Anthos and Microsoft Azure Arc.
A new operational approach
It is evident and fascinating to see how technology solutions are evolving to respond to the need of resiliency requested by their clients. Once again, firms need to ensure they have the right operating model and skillset to support multiple cloud providers.
As the reliance on external sources is increasing, so is the amount of data exchanged in the financial ecosystem. Financial services institutions are called to abide by applicable rules of privacy and data protection and to put in place measures of security to defend their enterprises and their clients’ data from cyberattacks. Albeit this does not constitute a new frontier of discussion, it cannot be left out of considerations among the key technology implications of new regulations and market transformation. It is worth mentioning that the privacy technology available on the market not only helps to locate the data that falls under various privacy regulations, but it can also alert data administration about unauthorised access or transfer and can support privacy assessment and data pseudonymisation. Moreover, the technology available today is designed to make the existing privacy platform more efficient, but not to replace it entirely as there is no one solution that offers all the aforementioned characteristics.
Having discussed key tech implications following the observed regulatory trends, it is worth stressing that technology can be an effective lever to boost risk strategies and best practices, only if financial institutions innovate the target operating model. The use of machine learning solutions, although still at early adoption in financial services, is intended to become a must in the application of the evaluation process of operational risks. The information gathered from big data is the next frontier of risk analysis, whose potential can be fully achieved by financial operators only if they embrace the adoption of artificial intelligence solutions and keep pace with the highest standards of cybersecurity available on the market.