The long-term fallout from the 2008 global financial crisis created several deep fractures in traditional-banking models. Most of the sectoral attention today has focused on weak operating profits and balance-sheet performance, especially the risks arising from the negative-rates environment and the collapse in yields on traditional assets, such as highly rated sovereign and corporate debt. Second-tier concerns in boardrooms and amidst C-level executives relate to the continuously evolving regulatory and supervisory pressures and rising associated costs. Finally, the anemic dynamics of the global economic recovery are also seen as a key risk to traditional banks’ profitability.
However, from the longer-term perspective, the real risks to the universal banks’ well-established business model come from an entirely distinct direction: the digital-disruption channels that simultaneously put pressure on big banks’ core earnings lines and create ample opportunities for undermining the banking sector’s key unique selling proposition—that is, security of customer funds, data and transactions, and by corollary, enhancing customer loyalty. These channels are FinTech innovations—including rising data intensity of products on offer and technological threats, such as rising risks to cybersecurity.
This two-pronged challenge is not unique to the banking sector, but its disruptive potential is a challenge that today’s traditional banking institutions are neither equipped to address nor fully enabled to grasp.
Traditional model vs disruptive challenge
Four years ago, in an article for Central Banking titled “Data: a core challenge for financial regulatory reform”, Keith Saxton and I warned that the regulatory and operational nature of banking has been changing through rapid growth in data-rich analytics platforms and tools, as well as thorough data-enabled product offers coupled with associated growth in demand for data security. Four years since, neither regulatory nor traditional banking models have fully embraced this reality of change.
The latest research from McKinsey & Co., “A digital crack in banking’s business model”, shows how digital disruption is catching traditional banks off-guard, drilling deep into banks’ core business lines, selectively targeting higher-margin activities. The study found that 59 percent of established banks’ earnings are generated by fee products, including advice, payments, origination, sales and other sub-services relating to lending and deposit offers. These activities yield returns on equity (ROEs) averaging 22 percent, more than 3.5 times the ROE for the balance-sheet provisions and execution components of the loans.
Digital companies (the so-called FinTech sector), large online-services providers (from Apple to Amazon) and service-offer aggregators (e.g., Moneymarket.com) are targeting behaviorally anchored transactions and payments services. This is the bread and butter of traditional retail banking: in 2014, transactions and payments services ranked as the second-largest source of profits for universal banks. Meanwhile, automated advice systems, along with technology-based lending platforms and capital-raising offers, are taking on the top-ranked profit-generation stream: asset management. Coupled with aggregators’ products available online, these include pensions and investment products, and insurance. The payments platforms’ disruption is already several years into an exponential growth cycle, as are aggregation services. Automated advice and disintermediated lending are just at the early stages of development. However, the ability of the technology sector to move fast into established markets along competitive advantage margins based on cost and quality of the offer cannot be discounted. More ominously, the ability of technology platforms to rapidly integrate their offers with other services, such as retail sales and structuring or bundling of consumer services (think of the change from Apple’s iTunes to Apple Pay, or from Google and Google+ to Google Wallet), implies that any technological innovation—however disruptive it may be on its own merit—will be ever more challenging for the incumbent players once services bundling can commence.
Unlike traditional banks, technological platforms in financial services are run on tiny margins, with savings passed to consumers not only via lower costs of services but also via offering broader ranges of services providers. In other words, unlike traditional banks, new services providers, such as NerdWallet, BankBazaar.com, Tencent, LendingHome, Moneysupermarket.com, Airpay, BnkToTheFuture.com, Knab, Sina Weibo and WeChat, and many more, do not rely on capturing consumers in their product-offer nets. Instead, these platforms can offer consumers a range of points at which they can seamlessly enter other platforms and services providers. This model of competitive cooperation is pushing down margins available to those traditional banks that engage with new platforms.
Preserving market share, retaining clients’ lines of business and balancing out the need for deposits with the opportunities for product sales is becoming an ever less and less profitable business for traditional banks.
Looking at data from another research study from McKinsey & Co., “The Fight for the Customer: McKinsey Global Banking Annual Review 2015”, over 2013-2014 the growth in ROE in the global banking industry was driven, to the upside, by the one-offs and indirect returns, such as tax savings, declines in fines and other costs, as well as reduced risk and operating costs. Meanwhile, margin increases turned negative, amidst growing external and internal competition pressures. Looking forward into the 2016-2020 horizon, improvements in the underlying interest rate environment, currently touted by many industry players as a panacea to the ongoing margins compression, by incumbent banking-sector executives are unlikely to provide an uplift in margins that could compensate for the corresponding increase in funding costs. Coupled with rising burdens of regulatory-regimes changes, this means that the traditional-banking model will come under an ever-growing pressure from more agile, less cost-burdened and legacy-weighted technology challengers.
Added vulnerability of the traditional global banks’ business model to technology-enabled challengers comes from the changes in operational and financial trends since the onset of the global financial crisis.
Prior to 2008, based on data from Thomson Reuters, the average Tier 1 capital-ratio cushion across the group of globally diversified banks was around 10.5 percent. Since then, the ratio has moved to an average of 12.7 percent in 2012-2014 and is likely to rise further in years to come. Beyond quantitative aspects of the Tier 1 ratio, improving the quality of underlying capital assets will further increase the overall costs associated with capital cushions. This will add to other significant margin pressures faced by banks.
Meanwhile, deleveraging during the global financial crisis has meant that loans-to-deposits ratios in advanced economies fell from 129 percent during the crisis to 108 percent today. The resulting decline in loans-assets profitability was partially offset by increases in leverage ratios in emerging markets, where the loans-to-deposits ratio rose from 76 percent prior to the onset of the financial crisis to more than 80 percent today. The trouble is that emerging markets have just entered the period of structural deleveraging. Added trouble is that this geographic segment of the financial-services market is now the main arena for competition between traditional banks and the FinTech-enabled challengers.
In other words, traditional banks are not only about to experience a dual squeeze on their profitability from the structural changes ongoing in the emerging markets, but they are also ever more vulnerable to such risks in the current environment of secular stagnation in advanced economies.
Thus, in a way, an apt analogy between today’s traditional banks and their FinTech disruptors is that of the early 20th century competition between the established, highly capitalized and legacy-weighted railroads and the strategically agile, more innovative carmakers with far less risky capital structures and leaner operating systems. Starting from the dominant position, the former witnessed their complete loss of high-value-added customers (passengers and time-sensitive, high-value cargo) to the latter within a span of a few decades. Adjusting for the speeds at which modern technology emerges and is deployed, the same process will take years, not decades, to complete in the banking sector of the 21st century.
The darker side of tech
If, in the above analogy, FinTech acts as the car industry to traditional banking’s “railroad-like” business model, then the other side of the technological revolution is pushing armies of train robbers onto the train tracks. While competitive pressures are rising fast, the disruptive nature of data-enabled technological innovations is also being felt on the side of systems stability and in the realm of cybersecurity.
In a forthcoming study by Professor Shaen Corbet of Dublin City University and myself, “Regulatory Cybercrime: Can Hacking Provide a Mechanism to Regulate Corporate Technological Structures”, we used data from public sources to identify, classify and analyze all major events relating to cyber-hacking and cybersecurity crises in the world of publicly traded companies, including major banks. In the banking sector alone, for example, 2012 saw 79 attacks involving exposure of client information, while in 2013, some 20 financial companies were targeted by concerted distributed denial-of-service attacks (DDoS).
The Ponemon Institute’s study published in 2015 found that the total cost of data breaches across corporate sectors rose 23 percent year-on-year in 2014, with cyberattacks now accounting for 47 percent of all data-breach cases in 2015, up from 37 percent in 2013.
In one recent attack, carried out by Russian hackers, the account data of some 76 million financial-services clients was stolen from a global banking institution. And, as claimed by the FBI, nearly 519 million financial records have been stolen from US companies by hackers within the period of 12 months prior to October 2014. And Russian hackers allegedly acquired more than 150,000 press releases from Wall Street publications in August 2015. It is claimed that this data was then used to gain a trade advantage, worth $100 million. In another attack this year, the entire business community of the Cayman Islands was targeted by concerted efforts to breach IT (information technology) systems security.
As revealed in an indictment, unsealed last month, in 2011 a group of Iranian-sponsored hackers launched attacks against 46 Wall Street institutions, including the New York Stock Exchange and NASDAQ.
Over the course of 2014, some 35 percent of the data thefts were from website breaches, 22 percent were from cyberespionage, 14 percent occurred at the points of retail sale, and 9 percent came from the use of credit or debit cards. Which implies that the risk of cybercriminals exploiting core banking-services channels for potential vulnerability was roughly four times more likely than retail-services channels. The presence of big data-based FinTech-services providers and other non-banks offering ebanking-related products complicates the picture, as recently noted by Packin and Aretz. However, to date, data from disclosed hacking and other cyberattacks on publicly listed companies does not support an assertion that FinTech challengers are themselves more prone to cybersecurity failures. Instead, traditional banks appear to be more the sitting ducks for cybercriminals.
As noted by Robert Anderson, executive assistant director of the FBI’s Criminal, Cyber, Response, and Services Branch: “We’re in a day when a person can commit about 15,000 bank robberies sitting in their basement.”
Back in 2013, a McAfee report estimated financial gains from cybersecurity breaches to be in the realm of $120 billion in the US alone, with “the cost of identity theft using cyber techniques in the US” at $780 million. Other sources of cybersecurity-related losses by US banks were estimated at between $300 and $500 million a year. Per McAfee, “This is not an insubstantial loss, and if it occurred on our streets, there would be an immense outcry. However, financial institutions have regarded this as the cost of doing business in cyberspace.” And projecting these loss estimates into 2016, based on historical growth rates in cyberattack frequencies and severity, banking-sector losses in the US alone arising from cybersecurity breaches could reach USD 1.9 to 2.46 billion.
Despite the executives’ rhetoric about the urgency of preparing traditional banks for cybersecurity challenges, banking institutions continue to treat cybersecurity as a non-strategic matter. Three major cybersecurity exercises carried out in recent years in the US, UK and Canada, such as SFIMA-organized Quantum Dawn, CBEST and IIROC (Investment Industry Regulatory Organization of Canada) scenarios testing, all exposed significant areas of concern when it comes to the financial sector’s ability to counter systemic risks associated with cybercrime. More ominously, the results also indicate that at the organizational level, major banks continue to treat cybersecurity as a technical challenge, to be handled by the IT departments and monitored by compliance and siloed audit functions, rather than a strategic threat to be prioritized across the entire organizational structure through fully integrated enterprise risk management systems, from the board to the lower tiers of management.
When looked at from the financial markets’ point of view, our recent “Regulatory Cybercrime” analysis of corporate data shows evidence for the unexpected transmission of cybercrime events across financial markets during 2005-2015. These risk-transmission pathways are reaching beyond the known channels for spillovers between the share prices of the company subjected to cybercrime. Instead, they are impacting trading and portfolio links, institutional structures such as international subsidiaries, and constitute systemic-contagion effects. Using EGARCH methodology, we investigated the stock market volatility spillovers across publicly traded equities generated in the immediate aftermath of a hacking event over a period from 2000 to 2015. Our samples of such events include more than 850 occurrences of data losses and prioritize these events in terms of the size of the target company, the type of cybercrime and the number of client records affected.
Of the different types of cybercrime included, hacks are by far the most frequent type of attacks and appear to be targeted at higher-value companies. This may indicate that some of these companies may have superior security systems in place to mitigate physical theft of data devices and insider-triggered releases of data. In contrast to physical security measures, the increased sophistication of hacking appears to be more than capable of targeting large companies and banks. The frequency of success and the size of attacks also appear to be correlated in time. Of the 29 reported large hacks that occurred between 2005 and 2011, 21 events have generated volatility contagion across the markets. In comparison, over the 2012-2015 period, there were 34 identifiable data-breach or hacking events in our dataset, implying a rapid rise in the number of such events compared to the 2005-2011 period. More worryingly, of 34 events, 25 attacks resulted in contagion.
It is worth noting that our hacking-events database is predominantly reflective of the private-sector episodes. At the same time, as several high-profile events cited above suggest, financial-services providers are also witnessing increasing risks of state-sponsored cybersecurity attacks. In fact, Tom Lin deals with the latter issue of “new tensions relating to financial hostilities, cyberattacks, and non-state actors posed by financial warfare”. In a recent high profile episode, Swift, or the Society for Worldwide Interbank Financial Telecommunication, a global messaging platform used by some 11,000 financial institutions wordlwide, was exposed to a series of threats of cyber incidents. In these, “malicious insiders or external attackers have managed to submit Swift messages from financial institutions’ back-offices, PCs or workstations connected to their local interface to the Swift network” (quote source). Although the core systems of the Swift platform itself were not compromised in these incidents, malicious messages were, it appears, submitted to the Swift networked clients. Swift was forced to issue a security update and deploy a “new customer security programme – a dedicated initiative to reinforce and evolve the security of global banking”. (link to Swift initiative)
The twin developments of FinTech-led creative disruption and the hacking-led cybersecurity threats are hitting at the heart of the already weakened traditional-banking model.
The very core of this model relies on customer “stickiness” or loyalty in order to upset existent basic-services clients into higher-margin products. But the loyalty of these customers is currently on a decline, in part due to the technology challenges and in part due to traditional banks’ strategic failures to prioritize customer service and engagement.
In its 2015 study of the core-banking sector’s operations and strategy, IBM’s Institute for Business Value found that the gap between banking executives’ perceptions of the quality of their customer service and their clients’ views of the same is as wide as ever. In retail banking, IBM found that 62 percent of industry C-level leaders think they deliver excellent customer service. Only 35 percent of the industry’s customers agree with such an assessment. The gap was even wider in the case of higher value-added lines of business, such as asset management, where 57 percent of wealth-management executives believe they provide an excellent experience, while only 16 percent of their customers agree. Matters are even worse in the key areas of creating a personalized customer experience, encouraging customer loyalty and building customer trust. The latter issue is paramount to a bank’s ability to retain key lines of business from their clients. As many as 96 percent of bankers believe their customers trust them more than other non-bank competitors. Only 67 percent of customers actually trust their primary bank compared to other bank competitors.
The window for technological disruption in the traditional or universal banking model, opened by technological developments of 2004-2007 and widened by the global financial crisis of 2008-2011, has now been blown off its hinges by the sheer size of the incoming disruptors from the likes of Google and Apple. And the winds of technological and data changes are getting ever stronger.
(1) Gurdgiev, C. and Saxton, K. (2012), “Data: a core challenge for financial regulatory reform”, Central Banking, February 2012. http://www.centralbanking.com/central-banking-journal/feature/2153889/-core-challenge-financial-regulatory-reform
(2) Dietz, M., Härle, P. and Khanna, S. (2016), “A digital crack in banking’s business model”, McKinsey & Co., April 2016. http://www.mckinsey.com/industries/financial-services/our-insights/A-digital-crack-in-bankings-business-model?cid=digistrat-eml-alt-mkq-mck-oth-1604
(3) McKinsey & Co. (2015), “The Fight for the Customer: McKinsey Global Banking Annual Review 2015”, September 2015. http://www.mckinsey.com/industries/financial-services/our-insights/the-fight-for-the-customer-mckinsey-global-banking-annual-review-2015
(4) Corbet, S. and Gurdgiev, C. (2016), “Regulatory Cybercrime: Can Hacking Provide a Mechanism to Regulate Corporate Technological Structures” working paper, forthcoming, June 2016.
(5) Bloomberg (2016), “Iranians Hacked From Wall Street to New York Dam, U.S. Says”, March 24, 2016. http://www.bloomberg.com/news/articles/2016-03-24/u-s-charges-iranian-hackers-in-wall-street-cyberattacks-im6b43tt
(6) Ponemon Institute, “2015 Cost of Data Breach Study: Global”, May 2015. http://ibm.co/1FStqBu
(7) “Is Wall Street cyber secure?”, Global Risk Insights, April 21, 2016. http://globalriskinsights.com/2016/04/wall-street- cyber-security/
(8) Whittaker, J., “Hackers hitting Cayman companies: Ransomware scams a key concern for business”, April 12, 2016. https://www.caymancompass.com/2016/04/12/hackers-hitting-cayman-companies/
(9) Kelly, E., “Officials warn 500 million financial records hacked”, USA TODAY, October 20, 2014. http://www.usatoday.com/story/news/politics/2014/10/20/secret-service-fbi-hack-cybersecuurity/17615029/
(10) Packin, N. G. and Aretz, Y. L., “Big Data and Social Netbanks: Are You Ready to Replace Your Bank?”, February 19, 2015. Houston Law Review, Vol. 53, No. 5, 2016, Forthcoming. Columbia Public Law Research Paper No. 14-460. Available at SSRN: http://ssrn.com/abstract=2567135
(11) McAfee (2013), “The Economic Impact of Cybercrime and Cyber Espionage”, Center for Strategic and International Studies, July 2013. http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime.pdf
(12) “Cyber Security in Securities Markets – An International Perspective Report on IOSCO’s cyber risk coordination efforts”, The International Organization of Securities Commissions, FR02/2016, April 2016.
(13) Lin, T. C. W., “Financial Weapons of War” (April 14, 2016). Minnesota Law Review, Vol. 100, p. 1377, 2016. Available at SSRN: http://ssrn.com/abstract=2765010
(14) IBM (2015), “Banking redefined disruption, transformation and the next-generation bank”, IBM Institute for Business Value. http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=XB&infotype=PM&htmlfid=GBE03704USEN&attachment=GBE03704USEN.PDF