- With staff working from home instead of the office, banks could be exposed to unprecedented levels of conduct risks, security hazards and cultural issues.
- Regulators have flexed the rules for financial institutions during the pandemic – so they could focus on providing core services – but wrongdoing will still be investigated and punished.
- 2020 has accelerated non-financial risk managers’ plans to digitise their operations, bringing serious benefits in terms of cost, efficiency and safety for their employers.
Leading journalist and Network Standard editor Tim Wallace speaks to Acin’s Paul Ford about the growing operational risks for those of us in risk, how to manage them and how technology is the only way forwards.
Could another Libor, forex or commodities scandal be brewing? The conditions are ripe for collusion, manipulation or some other as-yet unknown form of trading misbehaviour to strike banks, their clients and markets.
“I’ve heard examples of a flat with three traders, all working for different organisations, all working out of the same room,” says Paul Ford, chief executive of Acin.
This is a nightmare for compliance. When banks once kept an eagle-eye on their trading floor operators, now young and highly pressured staff are out of sight, working at home in ways which would have been unthinkable before the coronavirus pandemic.
“When you have suddenly distributed people out, how do you make sure they are not doing the wrong things, when you cannot see their environment?” asks Ford.
“You don’t know they haven’t got another iPad over there which they’re using to talk to other people and collude with them.”
So how to stop it?
The old-fashioned way – as we must now think of the era before Covid-19 – was to bring all of your staff together in an office. Managers could physically see their underlings. Electronic monitoring on banks’ equipment recorded phone calls and messages. A carefully built culture sought to reinforce norms of good behaviour.
Yet working from home blows this out of the water.
“When you look back to Libor manipulation, those had an electronic audit trail because they were in organisations which could not stop the issue from happening, but at least they could go back and look at all of the things that happened,” says Ford.
Now, a manager has no chance to spot that extra iPad, unregistered private phone or simple conversation which could enable collusion or malpractice, whether deliberate or inadvertent.
60% of data-driven Risk Intelligence produced since Covid-19 emerged is conduct risk-linked, with a spike at the height of the first lockdown with traders working from home and clients needing increased collaboration, according to Acin data.
Expect to see much more intensive digital monitoring to combat the threat of bad behaviour.
CCTV cameras giving managers direct line of sight into workers’ spare room offices might be a step too far, but traders can anticipate intrusive oversight.
“Electronic monitoring will go up to a level which is significantly higher than it was inside an office – you are trusting people less,” says Ford.
Building a culture which encourages the right behaviour is a crucial goal, too, to make sure workers behave in the right way when they do not have a manager standing over their shoulder.
“One of the challenges is how to bring up the younger generation.
says Ford. “The technical performance is one thing – how to trade, or supervise, or sell – but there are also boundaries of judgement. That judgement and culture, the less tangible things, are starting to become more controlled.”
But the new world has thrown up far more challenges to resilience and operational stability than conduct risk alone.
In a world of remote working, old habits from traditional group-work and meetings, to data storage and filing must all change.
In-person meetings meant everyone looking at the same handout or presentation or whiteboard, but that is not so easy over Zoom.
So standardised digital information is key, allowing everyone to look at “the single version of the truth”.
The same is true of risk data, which traditionally could be spread across head office, with different information in different formats.
“Firms intellectually knew they needed to stop having it in, say, 50 spreadsheets, 10 Word documents, 3 PowerPoint presentations and 4 systems – they knew the direction of travel. But there were always priorities,” says Ford.
“Covid has highlighted the shortcomings of that fragmented risk infrastructure and moved it up the priority list of things you now need to do to be better at managing operational risk.”
This has prompted serious action: 67% of Acin Network banks are introducing or upgrading their data standard to drive digitisation. The remainder are considering it.
Monitoring your staff and digitising your data help handle internal threats and risk.
External dangers also need more technology.
Hazards from cyber-attacks to money laundering loom large in the home-working revolution.
For phishing attacks, workers may be more vulnerable when working remotely, from their personal machinery.
“There have been some very concentrated, smart attempts at phishing attacks,” says Ford.
“You can be distracted, the door goes, you didn’t mean to click on that email. You can ask someone at work about an email – but working at home lowers the guard, and that is an opportunity for cyber crime.”
60% of the Acin Network are transforming their non-financial risk management framework, including supporting infrastructure, to deal with these demands in a more sophisticated, data-driven fashion, in something of an industrial revolution for operational risk.
Regulatory debts cannot go unpaid
Cybercriminals are a threat in part because the disruption around Covid has opened up opportunities. Banks and their regulators spent the peak of the crisis ensuring the core functions of the financial system did not fall over, and so were a little more lenient on other operations – something criminals can exploit amidst the chaos of uprooting usual working practices.
This cannot be allowed to last forever.
For example, before the pandemic traders’ phone calls were recorded. When Covid struck, this rule was relaxed – the content of calls should be recorded, even if audio was not captured every time.
Banks need to realise two things.
First, this will not excuse any wrongdoing.
Second, the rules are going to come back into full force.
“If we find out in a year’s time that those three traders in a flat together were colluding – if it comes out in the data, say, or via a whistleblower – you will not be able to use the excuse afterwards that it was in the pandemic,” says Ford.
Working environments are still in flux, but regulators will not wait forever to let banks decide whether staff are working from home or in the office. They will need to apply to full regulations properly at all times.
“If you decide you want to have traders working from home, you need to be able to apply the same standards as before that environment,” says Ford.
“That is key – if you have changed your operating model to a much more distributed one, you need to be able to control that in the same way you controlled your previous one.”
That means better technology, from home internet to computers, to surveillance software, but also a risk management framework around it.
Traditionally risk managers might have discussed the outline at conferences, roundtables and seminars.
Now, they have to calibrate systems against the shifting standards with little human contact.
“Where is the new bar? You don’t want it set too high, so you choke off your business, nor too low as the regulator will question that. So what we are helping to do is share that information around risks, the controls, and the level to set them,” says Ford.
Acin’s Risk Intelligence observations show a 30pc rise in controls related to supervision and surveillance since the pandemic struck.
This is important at all levels, including board directors and regulators – the overseers of the industry.
“Boards can benchmark themselves for revenue, rankings, credit risk via ratings, but they are now looking at how they are doing on risk,” says Ford. “They do not want to be the outlier at the bottom, underperforming, or an outlier at the top, if they have gone too far. Either will draw regulatory attention.”
The Financial Conduct Authority is keen to beef up its own analytics as it seeks ways to better monitor 60,000 regulated entities.
Nikhil Rathi, the regulator’s chief executive, has discussed the FCA’s own new “data strategy”, giving it closer insight into the activities of banks.
But while the regulator has an overview which allows comparison between finance firms, banks risk lacking that same insight. They need a way to benchmark themselves.
50% of Acin Network banks are in advanced conversations to do just that by widening Acin’s coverage, bringing more data on non-financial risk management into the platform and so gathering the information required to compare their own operations and performance with that of their peers.
The more are involved, the more robust operational risk frameworks and controls will be, to everyone’s benefit.
“We want a robust framework which allows the organisations and regulator together to see the measurement is correct, and the information and comparability is there, so decisions from the regulator and regulated can be made objectively, exactly as they are for credit risk or market risk,” says Ford.
The bottom line
For the non-risk managers, the most compelling reason for digitising this part of the bank is straightforward: saving money.
Replacing labour-intensive processes with digital systems, then re-allocating those staff to high-value tasks makes clear financial sense.
It is the same pattern as in the rest of the banking world, which has seen significant investment to create new systems, allowing enormous efficiency gains over subsequent years.
The most obvious at the consumer end is the invention of online banking and then smartphone apps, allowing customers to check their balance or carry out transactions instantly instead of queuing at the branch to ask the staff to perform the basics.
But this has not typically reached operational risk management, meaning highly qualified staff are tied up on administrative tasks and running the risk of making manual errors.
Instead they could be serving the key function more effectively: properly monitoring operational risk through a safer, digitised system. At the bottom line, this helps stop things going wrong and so avoids fines from regulators, and the cost of fixing mistakes.
“Banks need to invest in the technology to manage risk properly, and think of the cost of what happened before – cost-intensive, labour-intensive processes, with the risk of accidents and fines.”
That is also important when the regulator is watching with ever-more powerful tools.
The regulator’s own technology “should allow us to intervene sooner to reduce harm to consumers and markets. And smarter collection and use of data, backing faster intervention, should result in a lower total cost of regulation for well-run financial services firms,” as Rathi, at the FCA, has put it.
Banks would be well-advised to ensure they stay in the “well run” category.
Network Standard is the new industry publication for non-financial risk management leaders, delivered to you by Acin. Sign up here to join our community.