With the continued trend towards digitalization in financial services, the degree of connectivity and speed of activity across channels and systems has increased so dramatically that by the time a problem becomes visible it is too big to contain.

Archaic legacy control systems can exacerbate these problems, requiring manual interventions, leveraging disparate data sources, and being slow to adapt and scale. New control frameworks need to not only address these pitfalls, but also continue to manage losses and risks by being able to:

• Adapt quickly to regulatory changes and impacts to ensure compliance and minimize legal risks
  
• Meet evolving customer expectations by providing a seamless and consistent experience across all channels
• Be flexible and scalable to accommodate growth and changes in the business environment.

Regulatory impacts. Regulatory changes are happening with greater frequency and impacts are becoming increasingly difficult to assess and manage, especially given the high interconnectivity and velocity of movement in the industry. Non-compliance can result in regulatory sanctions, fines, and reputational damage. Regulatory actions have increased, both in the number of actions and number of fines levied, highlighting growing regulatory expectations around the integrity of operational risk processes. Notable examples include:

• In January 2024, City National Bank of Los Angeles was fined $65 million by the OCC (Office of the Comptroller of the Currency) due to systemic deficiencies in risk management and internal controls¹
  
• In October 2023, Metropolitan Commercial Bank was fined $30 million for deficient third-party risk management oversight failings²
• In July 2022, Bank of America was fined $125M for deceptive risk management and internal control practices along with other violations.³

Regulators require firms to have an effective risk management framework in place. Compliance with regulatory requirements is essential for firms to avoid negative impacts to the business and reputation.

Customer impacts. Customer expectations regarding risk management are increasingly focused on transparency, security, proactive management of the customer’s best interests, and data safeguards. Customers expect firms to have effective risk management practices in place to ensure the safety and soundness of their operations to protect their assets. Customers rely on financial institutions to ensure the integrity of their transactions across various digital channels. Lapses in control frameworks can lead to fraudulent activities or errors impacting their financial wellbeing. Robust control frameworks have a significant role in maintaining trust and safeguarding the financial institution.

Operational impacts. Inadequate control frameworks can cause financial losses from fraud or errors that go undetected, operational disruptions, and increased remediation costs, all of which contribute to undermining the overall efficiency and stability of the organization. Financial losses can stem from various sources, including unauthorized transactions, identity theft, insider fraud, or system glitches. These losses can be substantial and may also result in direct monetary damage to the institution, as well as indirect costs associated with investigating and remedying the situation, regulatory fines, legal fees, and reputational harm. Control frameworks must manage losses and risks proactively as opposed to reactively to stay ahead of the curve.

LEGACY CONTROL FRAMEWORKS ARE STICKY AND HARD TO CHANGE

There are several challenges when attempting to adjust existing control frameworks to compensate for the increased digitalization and velocity of client interactions. Specifically, four of the more common challenges in optimizing control frameworks include:

• Data silos
  
• Lack of automation
  
• Limited agility
  
• Continuously evolving regulatory requirements.

DATA SILOS

These silos, often stemming from legacy systems and disparate data sources, present obstacles for many financial institutions in facilitating decision-making and in implementing effective risk management programs. Without a unified view of data, institutions face difficulties in identifying and assessing risks comprehensively, leading to potential gaps, inefficiencies, and compliance issues.

Addressing data silos is crucial for financial institutions to unlock the full potential of their risk mitigation efforts, enabling them to harness the power of data analytics, automation, and artificial intelligence to proactively identify and mitigate risks. Furthermore, breaking down data silos enables a more holistic approach to risk management, ensuring that insights from across the organization are leveraged effectively to mitigate potential threats.

LACK OF AUTOMATION

Many existing processes rely heavily on manual workflows and do not embrace automation technologies. Lack of automation can hinder efficiency, scalability, and risk management capabilities. Embracing innovative solutions like AI-driven analytics and real-time monitoring can provide valuable insights and improve risk mitigation strategies. Incorporating automation technologies aligns seamlessly with robust control frameworks, enhancing their effectiveness in monitoring, detecting, and mitigating risks. 

By integrating AI-driven analytics and real-time monitoring into control mechanisms, organizations can proactively identify anomalies, strengthen compliance measures, and ensure regulatory adherence. This proactive approach not only bolsters operational resilience but also instills confidence among stakeholders in the organization’s ability to manage risks.

LIMITED AGILITY

Limited agility can stem from various factors such as bureaucratic processes, rigid organizational structures, or resistance to change. Archaic control frameworks lack the flexibility and agility needed to adapt to rapidly evolving digital environments and identify emerging risks. Neglecting to prioritize adaptability may leave organizations vulnerable to stagnation and increased risk exposure. 

For example, assume an organization implements an adaptive anti-money laundering (AML) control framework leveraging advanced AI and machine learning (ML) technology. Components of the framework could include real-time monitoring, a dynamic risk assessment of each transaction, quick integration of updates from regulatory bodies, and a feedback loop where outcomes of flagged transactions are fed back into the ML models enhancing accuracy over time. An organization could stay ahead of regulatory changes, continuously adapting to new threats and patterns effectively managing emerging risks, and lower operational costs due to a reduced need for extensive manual reviews. 

By integrating flexibility and scalability into their control mechanisms, businesses can enhance compliance, mitigate threats, and maintain a competitive edge in dynamic environments. 

CONTINUOUSLY EVOLVING REGULATORY REQUIREMENTS

Regulatory compliance in and of itself poses significant challenges due to its dynamic and increasingly complex nature. Regulatory requirements are a constantly shifting landscape, and financial institutions frequently struggle to adapt quickly, leaving them perpetually playing catch-up. 

From stringent privacy regulations to evolving cybersecurity standards and complex reporting obligations, staying ahead of regulatory changes is no easy task, and outdated control frameworks increase the risk of noncompliance and potential for penalties. It is essential for organizations to enhance control frameworks to adjust to regulatory requirements and facilities timely implementation.

MODERNIZING AN ENTERPRISE RISK MANAGEMENT PROGRAM 

With the complexities that financial institutions face in today’s digital landscape, it is critical to explore and implement effective strategies to manage these challenges and thrive in an ever-evolving landscape.

To manage the increased speed of activity effectively the industry must adopt new control frameworks that deliver on accuracy, speed, and management of nonlinear risks. Modern programs can effectively leverage data for granular insights while implementing real-time monitoring and dynamic controls for faster responses. Risks continue to be interconnected and can cascade and amplify across different areas, requiring network-based assessments versus treating risks in isolation. Focusing on these core principles when building modern control frameworks can deliver a competitive advantage in today’s financial ecosystem.

Planning the modernization of existing risk and control programs can be daunting, especially as legacy processes frequently require the organization’s full attention to maintain the status quo. A streamlined approach to understand and optimize control frameworks across established and future state business processes can help scale the reduction of manual interventions and further set the stage for modernization efforts.

• In reimagining control frameworks, a good starting point is to identify and develop a small set of representative processes that can be extended enterprise wide. Selecting and assessing a handful of key processes can create the foundation to scale while providing representative blueprints to show how to introduce techniques and steps to enhance efficiencies, such as reducing manual intervention, centralizing governance, and identifying use cases for adoption of automation.
• It is also important to note the entrance of RegTech vendors that utilize advanced ML and AI technologies to supplement and support the modernization of risk management practices in today’s digital ecosystem. Defining requirements and understanding the ‘current state’ is not only vital to the success of deploying automated technologies that RegTech vendors can provide, but crucial in positioning an adaptive risk management program that is agile enough to keep up with the changing regulatory landscape.

Regulatory requirements will always be a moving target, and financial institutions will always be challenged to move with them. By proactively modernizing control frameworks, financial institutions can remain compliant and competitive. Embracing adaptability and robust control mechanisms will be key to thriving in an ever-evolving regulatory landscape.

Capco is adept at and has strong experience in developing adaptive risk management programs that link business process with data management and enabling technology to help reduce the probability of a large loss as well as mitigate impact if a loss were to occur. Our approach integrates continuous monitoring and feedback mechanisms to dynamically adjust and enhance the effectiveness of risk management strategies over time.



REFERENCES

¹ https://www.occ.gov/news-issuances/news-releases/2024/nr-occ-2024-8.html
² https://www.complianceweek.com/regulatory-enforcement/metropolitan-commercial-bank-fined-30m-for-third-party-oversight-failings/33751.article
³ https://www.occ.gov/news-issuances/news-releases/2022/nr-occ-2022-84.html