This article is co-authored by Brent Crider and Paul Kalamaras
Note: This is the first in a two-part series on transforming compliance and risk management to meet the pressing demands of today’s financial services environment. The second installment will provide unique insights on how to effect a transformation.
Why are many banks “transformation averse” when it comes to embracing technology, optimization, and outsourcing to bring their compliance and risk management programs into alignment with current best practices?
The market is sending clear signals to get going, as fintechs race ahead and innovations like artificial intelligence and machine learning (AI/ML) become commonplace. Early adopters have shown how transformation is done, tempering uncertainties and generating a wealth of successful case studies. And the price of inaction just keeps rising. Yet at the same time, personnel issues, upfront costs, third-party risks, and regulatory pushback represent understandable concerns, particularly for small and midsize banks.
As collaborators in compliance and risk management transformations at several banks, we three authors have come together to share our experience and analysis of the drivers and the obstacles to transforming these critical, increasingly complex functions. We’ve also tallied the impacts, seeing first-hand the many compounding benefits transformative efforts consistently yield.
All that we’ve learned in the field leads us to impart two important messages to banks that are still clinging to outmoded compliance and risk management approaches:
- Moving forward with transformation isn’t as hard as it once was.
- Continuing to put it off could be the biggest risk of all.
‘The risk of doing nothing today is different than even three years ago: Now, the risk of doing nothing far outweighs the risk of executing an operational and digital transformation.’ — Paul Kalamaras
Transformation Is Within Reach
Transformation means resetting and revamping compliance and risk management programs across the classic triad of people, processes, and technology. It can deliver many important payoffs, including higher quality, consistency, efficiency, effectiveness, scalability, repeatability, and enhanced regulatory integrity. While this article focuses on transforming compliance and risk management, transformation cuts across all aspects of enterprise banking operations, creating shared needs and cause for ongoing collaboration.
A simple breakdown of the areas to target in order to effect transformation includes governance, systems integration, automation, and data analysis (up to and including AI/ML)—all situated within a strong culture of compliance. Among these program elements, any that aren’t high-risk or high-value-added should be considered for automation and/or outsourcing.
While broad transformation may appear to be a lot to tackle all at once, the fact is that banks don’t have to dive straight into the deep end. They can start seeing benefits through a phased approach that will deliver short-term results as part of a longer-term, evolving program. The key is to identify the areas that can benefit from transformation, risk rate them according to importance, degree of difficulty and benefits to be derived. This enables the process of phasing, focusing first on those elements that will return the biggest return on investment, in the shortest period of time. Another advantage of phasing in transformation is the ability to validate expected performance improvements in stages and adjust the plan to accommodate both internal and external feedback.
Transformation Enables Growth
If the case for transformation could be distilled into a single word, it would be “growth.” Financial services companies of all kinds are realizing that they simply cannot grow their business under outmoded compliance and risk management models, especially with processes that require linear resource additions to support growing business volumes.
Take compliance, for example. Every growth strategy, from an acquisition to a geographic expansion to a new product line, creates another layer of regulatory overhead. Without undergoing transformation to enhance their efficiency, compliance programs at established banks must keep adding required staff that are either too costly or simply impossible to fill because of today’s acute talent shortage and fierce competition for quality resources.
Meanwhile, new market entrants such as fintechs grow their businesses from a very different starting point. Rather than build massive compliance programs just to get in the game, fintechs tend to institute transformative technologies and processes from the start and the outsource all but the most critical, value add processes. This layers competitive pressures on banks in addition to already increasing compliance pressures, in an environment of heightened regulatory scrutiny, enforcement actions, credit risk, and even bank failures.
* results will vary based upon state of the current program and selected transformation initiatives
What Else Is Driving Transformation?
The pressure to transform is coming from all angles, with some of the most urgent drivers including:
- Talent risk: One of the financial services industry’s biggest challenges today is finding and retaining digital talent when everyone (fintechs included) is competing for the same specialists in areas such as data analytics for regulatory reporting, data monitoring for fraud, and other digitally-intensive functions. The much-expanded remote work environment has only exacerbated these pressures.
- Heightened regulatory oversight: Recent bank failures are increasing financial regulators’ focus on bank compliance—beyond an already complex and demanding set of requirements in areas ranging from consumer protection to cyber resilience and anti-money laundering (AML).
- Tough business environment: The list of market trends stressing banks’ performance is long. Interest rate hikes are driving commensurate deposit migration out of banks while raising funding costs, resulting in declining margins amid more challenging asset growth and shrinking assets under management. These and other issues compound the impact of continuing to invest in inefficient compliance and risk management programs.
- Competition: Fintechs don’t flinch at the prospect of automation, outsourcing, and other fundamentally transformative tactics indicative of modern financial services companies. Instead of building from scratch, they lean heavily on third parties to gain greater speed to market, scalability, and competitive advantage, which takes clients and valuable business away from financial institutions wed to outdated processes and systems.
- Compliance matters: The recent collapse of Silicon Valley Bank and a handful of others has also demonstrated what happens when ineffective compliance and risk management programs fall short of their mandate to ensure safety and soundness. This puts inherent, implicit pressure on all institutions to self-examine their programs, looking proactively for gaps and taking distracting, but necessary steps to fill them.
‘Fintechs aren’t spending time building their entire compliance and risk management programs from scratch. Fintechs often leverage best-in-class vendors to help design their frameworks and staff their implementation. And they use those partnerships to create formidable competitive advantages, focusing their best in-house talent on the highest-value functions.’ — David Samuels
A Key Question: Eliminate, Automate, Outsource, or Staff?
In the face of all we’ve described above, compliance and risk management leaders have to weigh three options in designing every aspect of their programs:
- Eliminate
- Automate
- Outsource
- Staff
Elimination is the first step that should always be taken in transforming a program. Ask the tough questions about each and every step in the process, “does it matter, does it need to exist in the workflow, can we eliminate or replace it”? Surprisingly, re-designed workflows often lead to the elimination of duplicate and un-necessary steps, that seem important to the outdated process, but are meaningless in the new. The results typically yield substantial improvements in efficiency and processing times.
Yet, this is hard to do. Often owners of the processes are too close to the details and cannot identify the eliminations on their own. It is best to rely upon the fresh eyes of an independent, third party to review, test and redesign the overall end-to-end processes, especially when seeking to eliminate bottlenecks and unnecessary steps.
Automation, as one of the most impactful precepts of transformation, speaks to many of the drivers we’ve identified above. Amid the current “war for talent,” for example, automating selected risk management processes can give banks the breathing room to reduce mundane workloads and upskill employees to handle more critical, analytical needs. This yields both higher employee satisfaction and the more efficient use of limited budgetary spend. Under regulatory scrutiny, automated data collection and reporting can help banks deliver more consistently and accurately.
Automation only goes so far, though. Outsourcing can deliver the added benefit of ready access to a collective, constantly refreshed expertise that no single bank can sustain in running processes such as screening for fraud and sanctions. In other words, outsourcing is not just an exercise in labor arbitrage, but a shortcut to integrating best practice into day-to-day operations. From onshore, to nearshore, to offshore, the options to outsource elements of a program are fully acceptable to the regulators, as long as you maintain solid intake and quality assurance processes and own the final results. From compliance testing and risk control self-assessments to high-risk functions like enhanced due diligence, there are no boundaries to outsourcing, as long as the process is robust, well documented and validated / audited.
For all of the reasons mentioned earlier in this article, including the war on talent and wage inflation, staffing is never a decision to be taken lightly. Push button staff, those who primarily make decisions based upon simple data, or who assemble data and push the knobs, levers and dials on software platforms, should be hired only as a last resort. In our experience, certain key, highest risk, highest complexity functions, that also deliver the highest value add and which require unique subject matter expertise, should be the focus for internal staffing.
In addition, banks should seek first to hire individuals with, “digital talents” that can help them innovate and stay ahead of the competition. Where possible, this means hiring and retaining digital compliance technicians, data analysts, consumer protection professionals, data privacy specialists, financial crime and cybersecurity investigators, and others.
However, even if you outsource, you must ensure a proper level of internal staffing to oversee the outsourcing arrangements, including having an intake manager, some form of quality control and the proper third line of defense test / audit capabilities.
Again, however, most of these skills are all in high demand—not only in banking, but across all industries, which leads us to conclude that all banks should operate using a hybrid staffing model that relies upon a hedged, healthy mix of internal staff, temporary augmented staff and outsourced managed services resources. Our motto, “Have a backup staffing plan for your staffing plan”.
What’s Holding Banks Back?
As a concept, digital transformation has been around for years. In reality, it is still in its early days. For example, the Institute of International Finance’s (IIF’s) global survey of bank CROs revealed that about eight in 10 are increasing the priority of digital transformation, including automation and advanced analytics such as AI/ML, over the next three years.
What is it taking so long? Five key issues consistently arise within banks:
Personnel issues: These cannot be overstated. In any department, digital transformation implies job cuts, giving pause to bank leaders as well as the rank and file. With today’s talent shortage, however, we’ve found that employees who are laid off tend to rapidly find new positions either elsewhere in the same bank or at other financial institutions. And these people issues emerge at every step of a transformation. For instance, outsourcing often raises fears of the unknown, whether the new support staff are located across the country or halfway around the world. But such apprehensions are typically put to rest as working relationships and strong governance frameworks are established, and a plan is put in place to provide those who are displaced with opportunities elsewhere in the bank. For sure, it is not a reason to hold back from using third parties to run elements of your programs.
Upfront costs: According to the IIF’s CRO survey, accelerating technology transformation investments was a main driver of cost increases for over half of respondents. But the payoff can be enormous and usually quickly repays against the upfront costs. In fact, we’ve seen banks improve compliance and risk management productivity levels by up to 30%, just by taking the first few steps, such as converting data entry to robotic process automation (RPA) and using dashboards to enhance visibility across multiple data sources. With the redesign of the workflows, the elimination of un-necessary steps and the implementation of productivity tools, the results can be staggering, approaching 50% or more in gains. These improvements mean fewer resources and lower operating costs for current volumes, and it creates the capacity for greater overall growth without any increase in headcount. Either scenario delivers a solid return on investment.
Business line qualms: Speed-to-market, the customer experience, and other values held dear by banks’ business line leaders give them pause whenever compliance and risk management leaders suggest change. But transformation can actually strengthen a CRO’s or a CCO’s case in such an environment. As the IIF report notes, digital technologies can embed risk and compliance measurement, monitoring, and controls directly into business processes in ways that don’t compromise business efficiency even as they enhance time to market and the customer experience alike. In the end, CRO’s and CCO’s must be confident in the value to be derived through transformation, using their conviction to influence the first line leaders, including executive management, that transformation is not only a game changer, it is a source of competitive advantage and it pays for itself.
Regulatory pushback: Regulators take a heightened level of interest when it comes to embracing transformation programs. But not because they fear a program failure or a break in compliance. Instead, it is often driven by a concern that banks will not establish a solid plan of implementation and ongoing execution, with the correct levels of oversight and independent testing. This is particularly true in areas such as, integration, automation, information staging and outsourcing, where questions regarding data, regulatory filings, and ownership of the process must be addressed. Yet many regulators have also come to understand that the strongest bank programs today have less, not more human intervention in the process, are partially, if not fully, “wired up”, and rely on a combination of insourced and outsourced compliance and risk management processes. They now see the benefits of automation: Done right, automation increases the accuracy, consistency, and quality of regulatory reporting.
To reinforce this confidence and continue to build trust in new methodologies, it is critical for any bank to include its regulatory partners in its digital transformation design, planning and implementation. This should feature regular updates on the status, clear access to program owners, and constant validation of the new program elements. Taking the time to explain to the regulators, the goals of an automated process, for example, or running concurrent processes to demonstrate effective transitions of workflows, or demonstrating quality and oversight achievements associated with any digital or outsourcing project.
Third-party risk: In the end, you can outsource your risk and compliance management programs or elements of them, but you cannot take your eye off the risks associated with using third parties. As digital transformation brings third-party people, processes, and technology into a bank’s compliance and risk management environment, program leaders have to stay well ahead of a range of new risks, from simple errors to system failures to indirect cyberattacks. Take ownership of any all of your third-party relationships, using upfront negotiations, rigid service level agreements and contract terms, combined with proactive third-party risk management, to successfully identify and mitigate potential exposures.
‘A big part of any transformation is ensuring there’s a feedback loop, with strong governance and change control processes, to feed into the governance of your outsourcing relationship.’ — Brent Crider
The Takeaway
The financial services industry operates in an ever-changing environment in which today’s talent shortages, heightened credit risk, competitive pressures, bank failures, and regulatory challenges may recede—only to be overtaken by a new set of systemic market factors. So why, in an ever changing, dynamic market, would banks rely upon processes that are outdated, stagnant and inefficient.
Constant change forces the need for banks to constantly transform their operations. Stand still, stay complacent and customers will be lost, human capital costs will surely rise and profits will sink.
Operational and digital transformation is a must do—a key strategy that financial services companies need to engage in as a process of continuous improvement, subject to regular review, challenge, and revision.
Overcoming obstacles like those we’ve described—and achieving the outcomes inherent in operational and digital transformation—require bank leaders to embrace and communicate the understanding that it is no longer an option to innovate in today’s environment, but a precondition for banks to thrive. Essentially, successful transformations will come down to whether or not bank leaders have instilled a cultural affinity for innovation as well as compliance.
And the good news is that the more deeply you engage in operational and digital transformation, the better you get at it and the more it pays you back.
This article was co-authored by:
Brent Crider |
Brent Crider, Doctor of Executive Leadership, is a risk and compliance professional who is currently the Chief Compliance Officer at MoonPay. He previously served in multiple C-suite roles and has 35 years’ experience in public and private institutions leading program enhancements. Brent’s experiences range from creating organizations to improving and strengthening existing corporations to exceed performance standards. Dr. Crider retired from active duty in the U.S. Air Force after serving 20 years. He was a senior intelligence officer and served as the Director of the National Security Agency group at the U.S. Special Operations Command and spanning four continents. He is a Certified Anti-Money Laundering Specialist and holds advanced degrees in Economics and National Security and Strategic Studies. |
Paul Kalamaras |
Paul Kalamaras is the former Senior Executive Vice President and Chief Risk Officer at Investors Bank, a $25 billion asset commercial bank where he was responsible for the overall risk management of the company, including the credit, compliance, information security, BSA/AML, and enterprise risk functions and was a member of the bank’s Executive Committee. Previously, he served in a number of executive leadership positions in middle market, retail, and business banking lines of business in several regional and community banking organizations. |
Read the version of this article published in the September / October 2023 issue of ABA Risk and Compliance Magazine