Recent Trends in Risk Management in Banks

By Raymond Michaels – raymond.michaels@internationalbanker.com

Ever since the great financial crisis of 2008, risk management in banking has seen important changes. One reason for this has been the public outcry over the use of government funds to bail out privately owned financial institutions. There is also an increased focus on the prevention of money-laundering. And governments and various enforcement agencies are also putting great stress on the measures needed to stop the financing of terrorism.

All of these factors have contributed towards altering the risk-management function in banks in many ways. A recent paper titled, “The future of bank risk management”, written by Philipp Härle, Andras Havas, and Hamid Samandari for McKinsey & Company lists several developments in the risk function of banks.

Customer-driven changes

Financial-technology companies, or fintechs, are changing the rules of the consumer and small-business banking game. These firms, most of which are of recent origin, are flush with investors’ funds. According to a recent report by Citi, $19 billion was invested in fintechs in 2015 alone. These online firms do not have a bricks-and-mortar presence. Their entire operations are based on the Internet, and they have taken the ease with which customers can carry out transactions to a level that banks are finding hard to emulate.

Speaking about the ability of fintechs to develop alternatives to traditional banking, Jamie Dimon, CEO of JPMorgan Chase, the largest bank in the US, has said, “Silicon Valley is good at getting rid of pain points. Banks are good at creating them”.

Now banks are trying hard to copy their fintech rivals, and this is throwing up new challenges for their risk departments. For example, some banks are working on new account-opening procedures that require customers to provide very little data about themselves. Instead, information is obtained directly from public sources. Developments like these are forcing the risk function in banks to think of new ways to fulfil its role.

Cybersecurity risks

Attacks on computer systems are getting increasingly brazen. There are regular reports of systems thought to be impregnable being hacked into. Recently hackers broke into Bangladesh’s central bank and instructed the Federal Reserve Bank of New York to transfer funds into their account. Losses were restricted to $101 million by a stroke of luck; the hackers were trying to steal nearly $1 billion. But the Philippines bank into which the money was being transferred had Jupiter as part of its name. Jupiter is also the name of an oil tanker and a shipping company under United States’ sanctions against Iran. This lucky coincidence triggered the New York Fed’s system, and the fake transfer orders were detected.

With hackers using sophisticated techniques and new methods to get into the computer systems of banks, risk departments are having a hard time keeping up.

Changes brought about by new regulations

Last year, as part of her testimony on banking supervision and regulation, Janet Yellen, the US Federal Reserve chairwoman, said that the country’s largest financial institutions are still falling short of managing the risks that led to the 2008 great financial crisis. She explained, “Compliance breakdowns in recent years have undermined confidence in the (banks’) risk management and controls and could have implications for financial stability, given the firms’ size, complexity and interconnectedness.”

The McKinsey paper points out that most of the prudential regulatory framework devised to prevent a repetition of the 2008 crisis is already in place. But banks have yet to finalise internal models for the calculation of regulatory capital to comply with Basel IV requirements.

A recent report in The Financial Times points out that in the last few years, large banking corporations have hired tens of thousands of regulatory staff and rid themselves of trillion of dollars of assets in order to meet Basel III requirements, which will not be fully in force for another three years. Basel IV is taking a new approach as far as managing risk is concerned. Banks will no longer be allowed to develop their own models for calculating risk. Instead, they will have to use a standardised approach devised by the global regulator.

Risk departments will need to change their approaches.

Risk departments in banks will have to take several steps if they are to remain relevant. In addition to building strong risk-management cultures within their organisations, they will have to recruit staff who are knowledgeable about information technology and data science. They will also have to work closely with business functions to ensure that the new processes adopted by the business teams include features to detect and mitigate risk.