WIXLIB

WHITE PAPERDIGITAL RISK MANAGEMENTIN BANKING

Banks are not new to the concept of digital risk management. Some of the veryfirst digital technology was developed as early as 1939,1 and banking was likelythe first private sector industry to widely apply digital technology to its day-to-daybusiness activities.A SHORT HISTORY OF SELECTED BANKINGTECHNOLOGYNotable applications of digital technology in banking include the following. In 1956, the American Banking Association adopted technology introduced byBank of America that employed magnetic ink character recognition (MICR) tocapture and sort physical checks. This innovation reduced the time to processchecks by 80%.2 This check-processing technology has become universallyaccepted throughout the banking industry. In 1967, Barclay’s Bank was the first bank to introduce an automated tellermachine (ATM) to dispense cash. Today, there are well over 1.7 million ATMsin use worldwide.3 Cash and checks used to be the sole means by which individuals would payfor the goods and services they received. In the 1950s credit cards wereintroduced, followed by debit cards in the 1960s and automated clearing house(ACH) payments in the 1970s. Each of these digital innovations dramaticallytransformed how banks extended credit and disbursed funds from customeraccounts, and how businesses disbursed employee payroll (which was oncedisbursed in cash or check but is now disbursed by ACH credits to employeebank accounts). While these technologies have not yet entirely supplanted theuse of cash and checks, they are well on the way to doing so.Source: Federal Reserve Payments Study: 2018 Annual Supplement, Board of Governors of the FederalReserve System ITAL RISK MANAGEMENT IN BANKING 2

Each application of digital technology in banking has created the opportunity toenhance positive customer experience, grow revenue through new and expandedservices, and process transactions more efficiently, effectively and at lowercost. However, with every opportunity digital technology has provided to banks,customers and counterparties, it has also transformed existing risk and oftenintroduced new risk.With every opportunitydigital technologyhas provided tobanks, customers andcounterparties, ithas also transformedexisting risk and oftenintroduced new risk. The application of MICR to automate check processing dramatically increasedthe speed of check processing and significantly freed up human resources,increasing revenue and reducing expenses. By carefully choosing the routechecks would take to settle, banks increased revenue by speeding up theavailability of customer check deposits and delaying the clearing of customercheck payments. Manipulating check routing allowed banks to use customermonies for longer durations, providing banks with more funds on which theycould generate interest income.The automation of check processing changed the risk of misrouted andmisposted checks from a discreet event associated with human, clerical error,into a systemic risk associated with the threat of malicious and accidentalcomputer programming errors. These systemic errors resulted in entirebatches of hundreds or thousands of checks being misrouted, disrupting thebank’s liquidity and introducing the need, on occasion, to correct much largernumbers of misrouted checks and associated customer compensation claims.In addition, decisions about routing checks not only had to consider howto maximize the duration of use of customer funds but also required banksto begin to seriously consider risks associated with the counterparties towhom the checks were being routed. If the counterparty receiving the checksexperienced financial or operational problems, it was possible that the bank’scheck settlement would be delayed. If the counterparty became financiallyinsolvent, the delay in settlement could take months, very much impairing thebank’s own liquidity. Consequently, counterparty risk management becamea best practice.The automation of check processing was initiated and managed by the bankingindustry itself, in the absence of any significant regulatory guidance. It wasn’tuntil 1987 that the U.S. Congress passed legislation to address concernsabout the length of holds banks were placing on checks deposited by theircustomers.4 Over the following 15 years, various regulations effectivelyeliminated banks’ ability to exploit the use of customer funds throughcheck routing because banks were obligated to provide funds availability tocustomers as quickly as the funds became available to the bank.Through process automation delivered by MICR technology, risk wastransformed from solely being associated with low-velocity operating errors tohigh-velocity risk, with significant financial and regulatory ramifications.DIGITAL RISK MANAGEMENT IN BANKING 3

The widespread deployment of ATMs and supporting ATM networks gavebanks an opportunity to grow their customer base without significantinvestment in new buildings and support staff, and to retain customers at verylow cost as they moved about geographically. ATMs enabled smaller banksto compete with larger banks within the same market footprint by simplyexpanding their ATM networks. It also allowed larger banks to penetratesmaller markets by installing an ATM in lieu of a bank branch.The threat of lost and stolen cash expanded from teller theft and branchrobbery to the physical theft of whole ATMs, cash mishandling and theftby third parties contractually engaged to maintain the ATMs, the physicalprotection of customers using ATM machines, and resilience of the ATMnetwork to ensure uninterrupted service. ATMs also introduced new, uniquelydigital fraud sources such as lost and stolen ATM cards, unauthorized ATM cardduplication and card skimmers, as well as raising data privacy concerns. Threatsources expanded from not only the teller or cash courier to persons stockingcash canisters, performing ATM maintenance and maintaining computerprograms for when, why and how cash should be dispensed from a machine.The larger ATM networks grew, the greater the impact of an ATM networkinterruption on customers and on the bank’s finances and reputation. Managingbusiness resiliency risk of ATM networks became a significant concern. Lastly,existing laws such as the Americans With Disabilities Act (ADA) and ExpeditedFunds Availability Act (EFA) were adapted by banking regulators to apply toATM operations. This required banks to modify physical ATMs with braille andaudio assistance and to manually examine ATM deposits to place holds andprovide required customer hold notifications.By 2012, there werealmost 900 millioncredit cards incirculation globally. The first universal credit card, which could be used at a variety ofestablishments, was introduced by Diners’ Club in 1950.5 By 2012, there werealmost 900 million credit cards in circulation globally.6 This rapid consumeradoption is an indisputable indication of consumers’ perception of the benefitof joining the “card economy.” Like other technology developments in banking,credit cards attracted more customers to the banks that offered them. But theyalso gave banks a more cost-effective means for delivering credit and paymentservices. Banks retained traditional credit risk but introduced new andchanging sources of risk primarily in the form of increased fraud and “modelrisk” associated with process automation.The Federal Reserve has estimated that “the value of fraud in total corenoncash payments in the United States, estimated using depository institutionsurvey data, rose from 6.10 billion in 2012 to 8.34 billion in 2015.”7DIGITAL RISK MANAGEMENT IN BANKING 4

Source: Changes in U.S. Payments Fraud from 2012 to 2016: Evidence from the Federal Reserve PaymentsStudy, Board of Governors of the Federal Reserve System, October 2018 raud-from-2012to-2016-20181016.pdfTo increase banks’ loan balances more quickly and cost-effectively, card-issuingbanks implemented increasingly complex computer models to automate decisionsregarding which consumers should be issued a credit card and how much theircredit card limit should be. “Model risk” became an operational risk concern ofbanking regulators because poorly designed credit card models could result inbanks taking on excessive future credit losses, and could introduce biases in theissuance of credit, inconsistent with the Equal Credit Opportunity Act (ECOA).Today, U.S. banking regulators pay close attention to not only model risk associatedwith credit issuance but also model risk associated with all kinds of models banksmay use to support or supplant human decision-making.8These are just a few examples of digital technology adopted by banks worldwide.The fact is that almost all banking activity today is supported by digital technology.Perhaps only for the purposes of handling physical cash do banking customers haveto visit a bank building. Every other product and service offered by banks can bedelivered and managed electronically. For many consumers today, money is solelydigital. These consumers embody the “cashless” society.Bank employees today (front-line, support and management) do their jobsinterfacing with bank systems directly through a terminal or via a distributednetwork of computers. Typically, bank employees interface with systemsvia computers on their desktop interconnected through an elaboratetelecommunication network, a part of which is invariably public-facingvia the internet.DIGITAL RISK MANAGEMENT IN BANKING 5