Developing a Digital-First Approach to Risk Management

The world has leaned further and further into the digital realm, largely thanks to a younger, more tech-dependent generation.

The Covid-19 pandemic accelerated a years-long push toward online and mobile banking use. Does your institution have a true digital banking strategy to deliver simple and secure digital banking services to your customers? As the primary channel through which customers conduct nearly all their banking activities, digital is your bank now.

But as more consumers turn to digital channels, cybercriminals are following suit — as demonstrated by increasing incidents of fraud and unauthorized account access. To mitigate cybersecurity threats and protect your customers, your bank’s risk management strategy now requires a digital-first approach.

Risk Management in Digital Banking
Even though customers demand digital transformation, delivering frictionless experiences comes with certain inherent challenges and risks. Once you identify these hurdles, you can mitigate them so that your institution can move forward.

The most pressing digital banking risk management issues fall into two categories: overcoming organizational challenges and mitigating regulatory risks. Each of them has several considerations and variables your institution should consider.

Overcoming Organizational Challenges

Outdated corporate culture: Entrenched processes and perspectives can stall your digital transformation. Promoting a more forward-thinking culture must start at the top and flow down in order for the entire institution to embrace change. Confirm your bank’s risk management personnel are onboard, and involve them from the beginning to ensure a secure and safe transformation.

Refocusing of key positions: Some of your bank’s key positions may change in response to digital transformation. Digitization may shift the focus of some, but these positions are still critical to the institution’s success. For example, instead of manually performing tasks, employees working in an operations department may begin focusing on automating processes for the institution.

Resistance to change: Many institutions have executives that will champion progress, while others are resistant to the changes required to adopt a digital-first approach. Identify the champions at your institution and empower them to lead your digital transformation.

Lack of innovative thought leadership: It will take true out-of-the-box thinking to digitally compete with the big banks and emerging fintech companies. Encourage that kind of modern thinking within your institution.

Misguided beliefs: Quash any notions that a mobile banking app is the only component of a digital strategy, or that a digital-first approach means that personalization is no longer needed. Back-end operations and internal processes must fully support a digital environment that effectively identifies and fulfills individual customer needs based on their actions and behaviors — without adding friction to the customer experience.

Mitigating Regulatory Risks

Digital compliance and cybersecurity: Banks operating in a digital environment must still comply with all applicable laws and regulations. This includes paying attention to uniquely digital processes that are covered under specific rules, such as electronically signing documents per the E-Sign Act. To mitigate risk, institutions should invest in technology designed to ensure compliance and strengthen cybersecurity.

Third-party risk management: Many banks are outsourcing all or part of their digital strategy to fintechs and other third-party vendors out of necessity. But institutions are still ultimately responsible for all functions, whether they are performed internally or externally. A robust vendor management program is key to avoiding unqualified third-party providers. A provider must understand applicable regulatory requirements, be able to adhere to them and guarantee compliance.

Fraud and identity theft: The increase in banking without face-to-face interaction can increase the risk of synthetic identity fraud, traditional identity theft and account takeovers. Your bank should meet these challenges by reviewing and strengthening your Bank Secrecy Act/anti-money laundering (BSA/AML), know your customer (KYC), customer due diligence (CDD), cybersecurity and other relevant compliance programs. Digitizing internal processes will result in more available data as well as the ability to use AI to monitor customer behaviors and efficiently identify potential fraud.

While digitization can increase certain risks for banks that undertake such a transformation, enabling enhanced digital banking risk management to secure digital channels, mitigate risk and deliver a frictionless customer experience is worth the effort.

Does your Bank Need a SOC?

Banks’ IT departments are at risk of burning out, given the constant pressure to comply with industry standards while preventing emerging cybersecurity threats.

Risk management solutions are in high demand within the financial industry, as the need for continuous network monitoring has only grown. If this sounds more like your current reality than a distant memory, a security operation center (SOC) could be the ideal cybersecurity solution that your bank needs.

What is a SOC?
Gartner defines a security operations center as “a team, often operating in shifts 24/7, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance.”

SOCs are responsible for monitoring and analyzing activity on networks, servers, and more. The service center is consistently looking for abnormal activity, indicating a potential breach, security incident, or malicious activity in your network. SOCs also detect harmful attempts to compromise your network and assist with the incident response lifecycle, allowing your bank’s IT team to respond more efficiently and work towards preventing security threats altogether. The goal is simple: get the job done quickly and accurately.

The key to deciding whether to move forward with external SOC support is the ability to deliver all of your enterprise network traffic, laptops, desktops, firewalls, VPNs, routers, switches and application security application detections to your SOC for their review and analysis. Paying a SOC service to watch your firewall traffic isn’t comprehensive enough and will give you a false sense of security. This is why you should consider buying a Security Information and Event Management (SIEM) platform that will ingest all of your data, making it easier for your SOC to protect your network.

What to look for in a SOC?
Searching for an ideal security operations center is not an easy task. There can be delays due to limited knowledge about key features. Below is a list of some primary features your bank should require in a SOC service:

  • Network Monitoring: The service should continuously monitor your network traffic and detect potential intrusions. You should also receive real-time alerts for any anomalous or malicious activity.
  • Incident Response: The incident response lifecycle starts with the initial detection and containment, then continues to the eradication phase, and finally returns to normal business operations.
  • Account Privilege: Privilege analysis of every account, system and group provides a financial institution’s staff with knowledge of exactly who can access the most sensitive data.
  • Compliance Reporting: Compliance reporting tools should include PCI DSS (Payment Card Industry), NIST (National Institute of Standards and Technology), and HIPAA. The FFIEC’s Cyber Assessment Tool (CAT) should be directly integrated into the service as well.
  • 360° View of Network: A SOC service should have the capability to monitor and defend networks on-premise, in the cloud continuously, and across the globe.

According to an Information Security Buzz article, the key to maximizing features like those listed above is to “integrate the data flowing among all the tools. This gives your entire security operations team a filtered view into what the information means.” The more perspectives that analytics can produce from data flow, the higher the value of that analysis. While all SOCs are different, they have critical components that will make or break the success of your bank’s cybersecurity team.

Why prioritize your network’s security?
Cybercriminals are becoming more creative and methodical with their attacks, especially now that remote work is the new normal. The occurrences and threat potentials of data breaches and cyberattacks are at an all-time high, and Security Ventures projects cybercrime damage to total $6 trillion by 2021.

It’s unrealistic to expect your bank’s IT department to quickly and efficiently monitor and solve every problem as demand increases. Your team should feel like they can do their job without continuously worrying about capacity concerns. By implementing a SOC service into your cybersecurity roadmap, your organization can expand its security capabilities, without breaking the bank, for years to come.

The High Cost of the Suspicious Activity Report

Bank boards know all too well about the reputational toll and hefty fines from lapses in regulatory compliance. But governance usually doesn’t tend to drill down into specific practice areas and their finer-grained costs.

An ounce of prevention, though less expensive than the proverbial cure, still runs pretty high in Bank Secrecy Act and anti-money laundering (BSA/AML) compliance programs. Directors might want to ask for a more-detailed picture from their bank’s AML team at the next board meeting. Not just to follow up on the damage-control response to the FinCEN Files media spectacle, but also in terms of profit and loss and team morale issues.

Suspicious activity reports (SARs) can get very expensive. We conservatively estimate that about $180 million in annual BSA/AML analyst salaries in the U.S. goes just to preparing the SAR form. But there’s also a huge opportunity to do better for society.

What are SARs? Some might say they are a headache-inducing form that demands a whole lot of painstaking and tedious detail, and then never quite fulfills its ultimate purpose of stopping criminals. Unfortunately, there’s a lot of truth to that description. What should — and could — SARs be?

  • An essential tool for fighting crime.
  • An effective communication channel for AML collaboration.
  • An invaluable resource for law enforcement to identify, track, and prosecute criminals.

At the risk of overstating the obvious, not every “suspicious” activity leads to criminal activity. Though banks do have the power to block the flow of funds, financial crime regulators (in the U.S., that’s the Financial Crimes Enforcement Network, or FinCEN) and jurisdictional law enforcement (such as district attorneys) hold the authority to go after the criminals. A bank’s primary responsibility in AML is to provide relevant information from the financial vantage point.

The level of detail can make all the difference in the usefulness of these reports. A complete and accurate SAR, filed with ample, highly relevant information, provides texture and nuance for regulators to make strong decisions about which cases deserve the attention of law enforcement. Prosecutors can then use information from SARs to build criminal cases. A future with somewhat fewer illicit arms sales or much less human trafficking could hinge on a few form fields.

The status quo for most bank AML compliance programs entails a substantial amount of manual inputs. Lacking automation, providing more high quality detail in SARs demands more time. U.S. financial institutions filed 2.3 million SARs in 2019. An AML analyst can command, on average, an annual salary of $75,000. These figures, plus some other industry-specific estimates and general human resources conventions, fed into my calculation above for the total annual SARs tab for U.S. financial institutions. And that $180 million figure doesn’t even account for the nine out of 10 investigations that don’t lead to a SAR filing — yet typically do result in more monitoring.

Manual processes, even with the best intentions of highly skilled AML teams, are inherently prone to human error. I also suspect these professionals would rather focus on the aspects of their work that demand the subtle discernment of human judgement. Some of the lowest-hanging fruit for using technology in AML investigations include automation that can:

  • Populate the SAR form with case information.
  • Organize case data from fragmented sources across the bank and vendors.
  • Visualize trends in the case to spot strange behaviors.
  • Quickly separate false positives from true positives.
  • Capture the insights of investigators as structured data, creating clean data that can be used for analytics and machine learning.
  • Validate and quickly transmit the SAR to expedite information flow.
  • Securely store the case information for future analytics and audits.
  • Keep casework across the team thorough and efficient.

Investigating and reporting suspicious financial activity is both an enormous expense for banks and a systemically important resource for protecting society. It’s worth investing in automation technology that will make a bank’s BSA/AML compliance program more efficient and effective.

How a specific bank might move forward in leveraging compliance automation technology will vary on a wide range of factors. Adopting this sort of technology isn’t an all-or-nothing proposition. A careful analysis of a bank’s AML practice area can identify minor changes that are likely to have an outsize impact in the fight against crime.

Embracing a Challenging Environment to Evolve

New York University economist Paul Romer once said, “A crisis is a terrible thing to waste.”

With a nod to Dr. Romer, we believe banks have an extraordinary opportunity to embrace the challenging environment created by the Covid-19 pandemic to enhance critical housekeeping matters. Here are five areas where banks may find opportunities to declutter or reengineer policies, procedures and best practices.

Culture
One of the most obvious opportunities for banks is to focus on culture. Employees working from home has eliminated the ability to have typical office parties, barbeques and other events to build comradery. Remote and semi-remote working environments are challenging employees in many difficult ways. Fortunately, banks are finding simple, yet creative, ways to stay in contact with their employees and build culture through additional correspondence and feedback — electronic happy hours, car parades, and socially distant visits, for example. Creatively maintaining high engagement in challenging times will serve to improve communication and culture over the long term. As management consultant Peter Drucker once said, “Culture eats strategy for breakfast.”

Cybersecurity
Cybersecurity risk continues to be top of mind for bankers and regulators given the remote work brought on by Covid. Certainly, most banks’ cybersecurity risk management planning did not contemplate the immediate scale of remote work, but the extreme experience is an opportunity to drill down on underlying policies and procedures. Banking agencies have provided the general blueprint on sound risk management for cybersecurity.

This heightened risk environment provides executives with a perfect opportunity to note where their vulnerabilities may exist or be discovered, where cyberattacks focus and what works—or doesn’t —for your bank. Use the guidance provided to assess your bank’s response and resilience capabilities. Consider the overall map and configuration of your cyber architecture. Consider authentication requirements and permissions to protect against unauthorized access. Take the time to work with information technology experts to clean up access controls and response plans. This is an active situation that provides bankers the unique opportunity to learn and adapt in real time.

Compliance
Banks also face enhanced compliance originating from federal programs aimed at keeping businesses afloat. A worthy endeavor to be sure, but the rollout of some federal programs such as the Small Business Administration’s Paycheck Protection Program has far outpaced the guidance for banks tasked with implementation. The trickle of (often inconsistent) guidance on the documentation, eligibility and certification adds compliance challenges in reporting under the Bank Secrecy Act, fair lending under the Equal Credit Opportunity Act and unfair or deceptive acts and practices under the Federal Trade Commission Act, for example.

Compliance teams have an opportunity to shine at something they are already extraordinarily good at: documentation. They should document the processes and practices they deploy to demonstrate compliance, despite the uncertainty and pace at which they are expected to operate. This documentation can support real-time decision-making that may come up with regulators in the future, and can serve as a basis for improvement on future best practices and training. Compliance teams will discover new questions to ask, novel scenarios to address and gaps to fill.

Operational Planning
The best time to consider the impacts of Covid on your bank’s operations is while events and memories are fresh. Banks all over the country are experiencing what a handful of institutions may go through in the wake of a natural disaster: devastation, uncertainty and a need for banking support. This is the time to review your bank’s disaster recovery and business continuity plans, specifically including pandemic planning, to assess the plans against reality.  

To help, the Federal Financial Institutions Examination Council released an updated statement on pandemic planning suggesting actions that banks can take to potentially minimize a pandemic’s adverse effects. This is an chance to improve business continuity planning for similar future events, understanding that they may not be as deep or prolonged as the coronavirus. Exercising the plans in real time, compared to a scheduled test, can reveal helpful improvements that will only strengthen the bank.

Customer Experience
Coping with remote work and providing banking services outside of a branch provides the opportunity for banks to consider strategies around technology and financial technology partnerships. Customers have been rerouted to electronic avenues, and many seem to have embraced technology to deposit checks, access accounts online and transact business.

This evolution offers banks the opportunity to adapt and recognize the use of financial technologies. Many customers will understandably return to branches to conduct some of their business when they reopen, but may require them less. Banks may want to consider how they can satisfy future customer demand and improve the customer experience more broadly. These are just five areas where we see opportunities for banks of all levels and complexity to enhance their policies, procedures and best practices as they prepare to move forward.

Turning Compliance From an Exercise Into a Partnership

The Greek philosopher Heraclitus once observed that no one can ever step into the same river twice. If these philosophers tried to define how the financial industry works today, they might say that no bank can ever step into the same technology stream twice.

Twenty-first century innovations, evolving standards and new business requirements keep the landscape fluid — and that’s without factoring in the perpetual challenge of regulatory changes. As you evaluate your institution’s digital strategic plan, consider opportunities to address both technology and compliance transformations with the same solution.

The investments your bank makes in compliance technology will set the stage for how you operate today and in the future. Are you working with a compliance partner who offers the same solution that they did two, five or even 10 years ago? Consider the turnover in consumer electronics in that same period.

Your compliance partner’s reaction time is your bank’s reaction time. If your compliance partner is not integrated with cloud-based systems, does not offer solutions tailored for online banking and does not support an integrated data workflow, then it isn’t likely they can position you for the next technology development, either. If your institution is looking to change core providers, platform providers or extend solutions through application programming interfaces, or APIs, the limitations of a dated compliance solution will pose a multiplying effect on the time and costs associated with these projects.

A compliance partner must also safeguard a bank’s data integrity. Digital data is the backbone of digital banking. You need a compliance partner who doesn’t store personally identifiable information or otherwise expose your institution to risks associated with data breaches. Your compliance data management solution needs to offer secured access tiers while supporting a single system of record.

The best partners know that service is a two-sided coin: providing the support you need while minimizing the support required for their solution. Your compliance partner must understand your business challenges and offering a service model that connects bank staff with legal and technology expertise to address implementation questions. Leading compliance partners also understand that service isn’t just about having seasoned professionals ready to answer questions. It’s also about offering a solution that’s designed to deliver an efficient user experience, is easy to set up and provides training resources that reach across teams and business footprints — minimizing the need to make a support call. Intuitive technology interfaces and asynchronous education delivery can serve as silent accelerators for strategic goals related to digitize lending and deposit operations.

Compliance partners should value and respect a bank’s content control and incorporate configurability into their culture. Your products and terms belong to you. It’s the responsibility of a compliance partner to make sure that your transactions support the configurability needed to service customers. Banks can’t afford a compliance technology approach that restricts their ability to innovate products or permanently chains them to standard products, language or workarounds to achieve the output necessary to serve the customer. Executives can be confident that their banks can competitively adapt today and in the future when configurability is an essential component of their compliance solution.

A compliance partner’s ability to meet a bank’s needs depends on an active feedback loop. Partners never approach their relationship with firms as a once-and-done conversation because they understand that their solution will need to adjust as business demands evolve. Look for partners that cultivate opportunities to learn how they can grow their solution to meet your bank’s challenges.

Compliance solutions shouldn’t be thought of as siloed add-ons to a bank’s digital operations. The right compliance partner aligns their solution with a bank’s overall objectives and helps extend its business reach. Make sure that your compliance technology investment positions your bank for long-term return on investment.

Artificial Intelligence: Exploring What’s Possible

Banks are exploring artificial intelligence to bolster regulatory compliance processes and better understand customers. This technology promises to expand over the next several years, says Sultan Meghji, CEO of Neocova. As AI emerges, it’s vital that bank leaders explore its possibilities. He shares how banks should consider and move forward with these solutions. 

  • Common Uses of AI Today
  • Near-Term Perspective
  • Evaluating & Implementing Solutions

 

The Strategic Side of Cybersecurity Governance


cybersecurity-8-7-19.pngWithout a comprehensive cyber risk governance strategy, banks risk playing Whac-A-Mole with their cybersecurity.

Most financial institutions’ cybersecurity programs are tactical or project-oriented, addressing one-off situations and putting out fires as they arise. This piecemeal approach to cybersecurity is inefficient and increasingly risky, given the growing number of new compliance requirements and privacy and security laws. Institutions are recognizing that everyone in the C-suite should be thinking about the need for a cyber risk governance strategy.

There are three key advantages to having a cyber risk governance strategy:

  • Effectively managing the audit and security budget: Organizations that address current risks can more effectively prepare for cybersecurity threats, while meeting and achieving consistent audit results. A thorough risk assessment can highlight real threats and identify controls to evaluate on an ongoing basis through regular review or testing.
  • Reducing legal exposure: Companies and their officers can reduce the potential for civil and criminal liability by getting in front of cybersecurity and demonstrating how the institution is managing its risk effectively.
  • Getting in front of cybersecurity at an organizational level: Strategic planning is an important shift of responsibility for management teams. It proactively undertakes initiatives because it’s the right thing to do, versus an auditor instructing a company to do them.

So what’s required to set up a cyber risk governance strategy? Most organizations have talented individuals, but not necessarily personnel that is focused on security. Compounding the industry shortage of cybersecurity professionals, banks may also lack the resources necessary to do a risk assessment and ensure security practices are aligned to the cyber risk governance. As a result, banks frequently bring in vendors to help. If that’s the case, they should undertake a cyber risk strategy assessment with the help of their vendor.

Bank boards can perform a cyber risk governance strategy assessment in three phases:

  1. An assessment of the current cyber risk governance strategy. In phase one, a vendor’s team will review a bank’s current organizational and governance structure for managing information security risk. They’ll also review the information technology strategic plan and cybersecurity program to understand how the bank implements information security policies, standards and procedures. This provides a baseline of the people and processes surrounding the organization’s cyber risk governance and information security risk tolerance.
  2. Understand the institution’s cyber risk footprint. Here, a vendor will review the technology footprint of customers, employees and vendors. They’ll look at internal and external data sources, the egress and ingress flow of data, the data flow mapping, the technology supporting data transport and the technology used for servicing clients, employees, and the third parties who support strategic initiatives.
  3. Align information security resources to cyber governance goals. In phase three, a vendor will help the bank’s board and executives understand how its people, process and technology are aligned to achieve the company’s institution’s cyber governance goals. They’ll review the bank’s core operations and document the roles, processes and technology surrounding information security. They’ll also review the alignment of operational activities that support the bank’s information security strategic goals, and document effective and ineffective operational activities supporting the board’s cyber governance goals.

Once the assessment is complete, a bank will have the foundation needed to follow up with an operational analysis, tactical plan and strategic roadmap. With the roadmap in place, a bank can craft a cyber risk strategy that aligns with its policies, as well as an information security program that addresses the actual risks that the organization faces. Instead of just checking the boxes of required audits, bank boards can approach the assessments strategically, dictating the schedule while feeling confident that its cyber risks are being addressed.

Addressing the Top Three Risk Trends for Banks in 2019



As banks continue to become more reliant on technology, the risks and concerns around cybersecurity and compliance continue to grow. Bank Director’s 2019 Risk Survey, sponsored by Moss Adams LLP, compiled the views of 180 bank leaders, representing banks ranging from $250 million to $50 billion in assets, about the current risk landscape. Respondents identified cybersecurity as the greatest concern, continuing the trend from the previous five versions of this report and indicating an industry-wide struggle to fully manage this risk.

Other top trends included the use of technology to enhance compliance and the potential effect of rising interest rates. Here’s what banks need to know as they assess the risks they’ll face in the coming year.

Cybersecurity
Regulatory oversight and scrutiny around cybersecurity for banks seems to be increasing. Agencies including the Securities and Exchange Commission are focused on the cybersecurity reporting practices of publicly traded institutions, as well as their ability to detect intruders. The Colorado legislature recently passed a law requiring credit unions to report data breaches within 30 days. It’s no surprise that 83 percent of respondents said their concerns about cybersecurity had increased over the past year.

Most of the cybersecurity risk for banks comes from application security. The more banks rely on technology, the greater the chance they face of a security breach. Adding to this, hackers continue to refine their techniques and skills, so banks need to continually update and improve their cybersecurity skills. This expectation falls to the bank board, but the way boards oversee cybersecurity continues to vary: Twenty-seven percent opt for a risk committee; 25 percent, a technology committee and 19 percent, the audit committee. Only 8 percent of respondents reported their board has a board-level cybersecurity committee; 20 percent address cybersecurity as a full board rather than delegating it to a committee.

Compliance & Regtech
Utilizing technological tools to meet compliance standards—known as regtech—was another prevalent theme in this year’s survey. This is a big stress area for banks due to continually changing requirements. The previous report indicated that survey respondents saw increased expenses around regtech. This year, when asked which barriers they encountered around regtech, 47 percent responded they were unable to identify the right solutions for their organizations. Executives looking to decrease costs may want to consider whether deploying technology could allow for fewer personnel. When this technology is properly used, manual work decreases through increased automation.

Other compliance concerns for this year’s report included rules around the Bank Secrecy Act and anti-money laundering. Seventy-one percent of respondents indicated they implemented or plan to implement more innovative technology in 2019 to better comply with BSA/AML rules.

Compliance with the current expected credit loss standard was another area of concern. Forty-two percent of respondents indicated their bank was prepared to comply with the CECL standard, and 56 percent replied they would be prepared when the standard took place for their bank.

Interest Rate & Credit Risk
The potential for additional interest rate increases made this a new key issue for the 2019 report. When asked how an interest rate increase of more than 100 basis points, or 1 percent, would affect their banks’ ability to attract and retain deposits, 47 percent of respondents indicated they would lose some deposits, but their bank wouldn’t be significantly affected. Thirty percent indicated an increase would have no impact on their ability to compete for deposits.

However, 55 percent believed a severe economic downturn would have a moderate impact on their banks’ capital. In the event of such a downturn, deposits and lending would slow, and banks could incur more charge-offs, which would impact capital. This fluctuation can be easy to dismiss, but careful planning may help reduce this risk.

Assurance, tax, and consulting offered through Moss Adams LLP. Investment advisory services offered through Moss Adams Wealth Advisors LLC. Investment banking offered through Moss Adams Capital LLC.

How Innovative Banks Keep Up With Compliance Changes


compliance-6-5-19.pngBankers and directors are increasingly worried about compliance risk.

More than half of executives and directors at banks with more than $10 billion in assets said their concerns about compliance risk increased in 2018, according to Bank Director’s 2019 Risk Survey. At banks of all sizes, 39 percent of respondents expressed increasing concern about their ability to comply with changing regulations.

They’re right to be worried. In 2018, U.S. banks saw the largest amount of rule changes since 2012, according to Pamela Perdue, chief regulatory officer for Continuity. This may have surprised bankers who assumed that deregulation would translate to less work.

“The reality is that that is not the case,” she says. “[I]t takes just as much operational effort to unwind a regulatory implementation as it does to ramp it up in the first place.”

Many banks still rely on compliance officers manually monitoring websites and using Google alerts to stay abreast of law and policy changes. That “hunt-and-peck” approach to compliance may not be sufficiently broad enough; Perdue said bankers risk missing or misinterpreting regulatory updates.

This potential liability could also mean missed opportunities for new business as rules change. To handle these challenges, some banks use regulatory change management (RCM) technology to aggregate law and policy changes and stay ahead of the curve.

RCM technology offerings are evolving. Current offerings are often included in broader governance risk and compliance solutions, though these tools often use the same manual methods for collecting and processing content that banks use.

Some versions of RCM technology link into data feeds from regulatory bodies and use scripts to crawl the web to capture information. This is less likely to miss a change but creates a mountain of alerts for a bank to sort through. Some providers pair this offering with expert analysis, and make recommendations for whether and how banks should respond.

But some of the most innovative banks are leveraging artificial intelligence (AI) to manage regulatory change. Bank Director’s 2019 Risk Survey revealed that 29 percent of bank respondents are exploring AI, and another 8 percent are already using it to enhance the compliance function. Companies like San Francisco-based Compliance.ai use AI to extract regulatory changes, classify them and summarize their key holdings in minutes.

While AI works exponentially faster than human compliance officers, there are concerns about its accuracy and reliability.

“I think organizations need to be pragmatic about this,” says Compliance.ai chief executive officer and co-founder Kayvan Alikhani. “[T]here has to exist a healthy level of skepticism about solutions that use artificial intelligence and machine learning to replace what a $700 to $800 an hour lawyer was doing before this solution was used.”

Compliance.ai uses an “Expert in The Loop” system to verify that the classifications and summaries the AI produced are accurate. This nuanced version of supervised learning helps train the model, which only confirms a finding if it has higher than 95 percent confidence in the decision.

Bankers may find it challenging to test their regulatory technology systems for accuracy and validity, according to Jo Ann Barefoot, chief executive officer of Washington-based Barefoot Innovation Group and Hummingbird Regtech.

“A lot of a lot of banks are running simultaneously on the new software and the old process, and trying to see whether they get the same results or even better results with the new technology,” she says.

Alikhani encourages banks to do proofs of concept and test new solutions alongside their current methodologies, comparing the results over time.

Trust and reliability don’t seem to be key factors in bankers’ pursuit of AI-based compliance technology. In Bank Director’s 2019 Risk Survey, only 11 percent of banks said their bank leadership teams’ hesitation was a barrier to adoption. Instead, 47 percent cited the inability to identify the right solution and 37 percent cited a lack of viable solutions in the marketplace as the biggest deterrents.

Bankers who are adopting RCM are motivated by expense savings, creating a more robust compliance program and even finding a competitive edge, according to Barefoot.

“If your competitors are using these kinds of tools and you’re not that’s going to hurt you,” she says.

Potential Technology Partners

Continuity

Combines regulatory data feeds with consultative advice about how to implement changes.

Compliance.ai

Pairs an “Expert in the Loop” system to verify the accuracy of AI summaries and categorization

OneSumX Regulatory Change Management from Wolters Kluwer

Includes workflows and tasks that help banks manage the implementation of new rules and changes

BWise

Provides impact ratings that show which parts of the bank will be impacted by a rule and the degree of impact

Predict360 from 360factors

Governance risk and compliance solution that provides banks with access to the Code of Federal Regulations and administrative codes for each state

Learn more about each of the technology providers in this piece by accessing their profiles in Bank Director’s FinXTech Connect platform.

Five Reasons Behind Mortgage Subservicing’s Continued Popularity


mortgage-6-3-19.pngMortgage subservicing has made significant in-roads among banks, as more institutions decide to outsource the function to strategic partners.

In 1990, virtually no financial institution outsourced their residential mortgage servicing.

By the end of 2018, the Federal Reserve said that $2.47 trillion of the $10.337 trillion, or 24%, of mortgage loans and mortgage servicing rights were subserviced. Less than three decades have passed, but the work required to service a mortgage effectively has completely changed. Five trends have been at work pushing an increasing number of banks to shift to a strategic partner for mortgage subservicing.

  1. Gain strategic flexibility. Servicing operations carry high fixed costs that are cannot adapt quickly when market conditions change. Partnering with a subservicer allows lenders to scale their mortgage portfolio, expand their geographies, add product types and sell to multiple investors as needed. A partnership gives bank management teams the ability to react faster to changing conditions and manage their operations more strategically.
  2. Prioritizes strong compliance. The increasing complexity of the regulatory environment puts tremendous strain on management and servicing teams. This can mean that mortgage businesses are sometimes unable to make strategic adjustments because the bank lacks the regulatory expertise needed. But subservicers can leverage their scale to hire the necessary talent to ensure compliance with all federal, state, municipal and government sponsored entity and agency requirements.
  3. Increased efficiency, yielding better results with better data. Mortgage servicing is a data-intensive endeavor, with information often residing in outdated and siloed systems. Mortgage subservicers can provide a bank management team with all the information they would need to operate their business as effectively and efficiently as possible.
  4. Give borrowers the experience they want. Today’s borrowers expect their mortgage lender to offer comparable experiences across digital channels like mobile, web, virtual and video. But it often does not make sense for banks to build these mortgage-specific technologies themselves, given high costs, a lack of expertise and gaps in standard core banking platforms for specific mortgage functions. Partnering with a mortgage subservicer allows banks to offer modern and relevant digital servicing applications.
  5. Reduced cost. Calculating the cost to service a loan can be a challenging undertaking for a bank due to multiple business units sharing services, misallocated overhead charges and hybrid roles in many servicing operations. These costs can be difficult to calculate, and the expense varies widely based on the type of loans, size of portfolio and the credit quality. A subservicer can help solidify a predictable expense for a bank that is generally more cost efficient compared to operating a full mortgage servicing unit.

The broader economic trends underpinning the growing popularity of mortgage subservicing look to be strengthening, which will only accelerate this trend. Once an operational cost save, mortgage subservicing has transformed into a strategic choice for many banks.