For Both Regulators and Banks, Tech Learning Curve Is Steep
EY expects more collaboration in standard-setting; Deloitte assesses early-stage AI take-up
Friday, February 1, 2019
By Ted Knutson
No longer mopping up from the financial crisis a decade ago, regulators are turning their attention to technology and its impact on their activities and on the firms they regulate, Ernst & Young says in its 2019 annual bank regulatory outlook.
“The increased velocity of the transformation agenda and emergence of new market participants, products, service providers and vendor utilities is unprecedented,” said EY's report, which was accompanied by a mid-January webinar.
Regulators are invoking technology in their push to have banks enhance corporate-wide risk management capabilities. New tools and processes may bring substantial efficiencies to both enterprise risk management and regulatory supervision.
At a time when there may be less unity or harmonization among global regulators as the crisis issues recede, EY said, “both regulators and banks are on a steep learning curve due to the fast-moving nature of technology and market applications. Regulators may need to adopt a more collaborative posture with the industry, rather than being a traditional rule giver, when setting standards for new products, services and participants.”
The report cites financial crime detection as an area of opportunity for technology, in which “the efficiency of national supervisors will be under scrutiny. No doubt this will mean increased pressure on financial institutions, which already have to deal with more complex sanctions regimes and increasing requirements to identify tax avoidance.
“In addition, the process of proper due diligence and risk assessment may lead to the unintended consequence of under-banked sectors, particularly in correspondent banking.”
A joint statement by U.S. regulators in December provided encouragement to the private sector to explore innovative approaches, including artificial intelligence, in anti-money-laundering and other challenging areas of compliance. (See Regulators Signal Readiness for AI in AML.)
Deloitte devoted a section of its 11th Global Financial Services Risk Management Survey, released January 23, to information systems and technology, saying that machine learning and cognitive analytics could significantly improve risk management efficiency and effectiveness.
“Digital technologies have the potential to fundamentally reengineer virtually every aspect of risk management,” said Deloitte Risk and Financial Advisory partner and survey author Edward Hida. “Financial institutions are now at the early stages of this transformation of their risk management functions.”
Fewer than 30% of respondents (from 94 institutions worldwide) to Deloitte's latest survey said they were currently using robotic process automation, machine learning, business decision modeling tools, and cognitive analytics (including natural language processing/natural language generation).
“These tools can reduce costs by automating manual tasks such as developing risk reports or reviewing transactions,” Hida stated. “They can also automatically scan a wide variety of data in the internal and external environments to identify and respond to new risks, emerging threats, and bad actors. Some banks have developed real leading-edge platforms for identifying potential conduct risk situations, for example.”
Legacy Issues Persist
While advanced-technology adoption is at a relatively early stage, EY's bank regulatory report said, “It is now essential to make processes more efficient via the use of AI and machine learning in client profiling and smarter transaction surveillance.”
The firm said it is critical to “balance the time and effort devoted to fine-tuning the legacy risk agenda with the need to focus on new challenges such as cyber risk, operational resilience and data privacy.”
In areas of data management and stewardship - challenges also highlighted in Deloitte's report - EY said, “The key steps to push through now are risk alignment, standardization of processes and aggregation of data from multiple sources onto a single platform. Machine learning, AI and natural language processing can help to quickly integrate customer, transaction and risk management data into decision-making processes, but their application must be accompanied by the necessary enhancements in traceability, data ethics standards and overall accountability for their use.”
Regulators face a balancing act when it comes to allowing customers “to control their personal data . . . If data privacy regulation becomes too onerous, it could compromise open banking or act as an effective barrier to entry for new participants. How regulators manage this trade-off between security and openness will be a crucial part of data regulation.”
Clouds and Third Parties
Third-party risks and frameworks for managing them are higher priorities than ever before, EY continued.
“Consequently, regulators are becoming concerned about financial institutions' increasing reliance on service providers to support some of their critical infrastructure, the use of the same providers by too many financial institutions, and the widespread use of the cloud. This is a new systemic concentration risk, which supervisors have yet to fully address.”
A July 2018 discussion paper on operational resilience from the U.K.'s Prudential Regulation Authority, Financial Conduct Authority, and the Bank of England “is an early indicator of what supervisors' expectations will be, such as the requirement that outsourced providers meet the same requirements as internally provided services,” EY said.
The convergence is particularly stark in the category of “financial crimes,” where, according to the consulting firm, “firms are focused on automating and integrating their efforts” to achieve goals of agility, efficiency, effectiveness and resiliency.
“Repetitive processes, especially due diligence processes related to customer onboarding, transaction monitoring, sanctions and fraud, are ripe for automation, including through use of blockchain technology,” KPMG said. “By automating aspects of these processes, firms may be able to identify misconduct and regulatory violations earlier in time, achieve greater consistency in output, and improve agility.”
KPMG pointed out that regulators will be keen to understand decision-making processes and any risks introduced by new technology.
Also regarding new technology risks, Deloitte said: “As institutions come to rely more heavily on AI tools, such as machine learning and neural networks, in pricing and product development, they will need to adapt their risk management frameworks and risk appetite to address the additional risks these applications create, such as the potential for inadvertent bias, rogue programs, or inaccurate automated results.”
A KPMG recommendation: “Plan for potential regulatory changes on the horizon - ongoing sanctions refinements, expectations for monitoring and reporting human trafficking, and for potential shared platforms/arrangements.”
KPMG's other nine key regulatory challenges, besides financial crimes, are: divergent regulation, risk governance and controls, data privacy, compliance processes, credit management, cybersecurity, ethics and conduct, consumer protections, and capital and liquidity.
GARP editor-in-chief Jeffrey Kutler contributed to this article.