Fintech Perspective: Balancing Speed to Market With Sound Risk Management

 

 

Christopher Monk, Managing Director
Business Performance Improvement

and

Tyrone Canaday, Managing Director
Technology Consulting

 

As financial institutions develop innovative technology, in-house or by partnering with fintech companies, they need to carefully consider regulatory requirements for both third-party risk management and information security. Protiviti hosted a Fintech Innovation webinar on April 5, which addressed the need for banks and other financial institutions to balance sound third-party risk management with the desire for ensuring speed-to-market for new products and services in a bid to remain competitive in today’s marketplace. The attendees primarily consisted of traditional financial services companies (81 percent) – mainly banking organizations and some insurers. Fintech companies represented seven percent of the audience.

We want to highlight some of the results of the polling questions submitted during the webinar because they give insight into the current state of fintech innovation and the areas banking firms are most concerned about as they work to achieve a balance between innovation and sound risk management.

The collaboration is not without challenges. Of those saying they are facing challenges with their third-party risk management programs (a large majority), one-third consider coordinating activities and workflow between different groups in the organization responsible for managing parts of third-party risk, such as the business (the first line of defense), the vendor management office, procurement and the compliance and information security functions, to be the most difficult. Seventeen percent of respondents highlighted the difficulty in gaining coverage of all of the organization’s third parties across all of the lines of business in the enterprise. Other issues include understanding and keeping up to date with all of the evolving regulations, and managing the workload by enhancing the efficiency and scalability of the third-party risk management process.

Most significantly, almost half (44 percent) of all respondents indicated that their organization does not track the risks associated with fintech companies and other vendors effectively.

Addressing the challenges

For institutions that are just beginning their innovation journey, a good starting point is to ensure they understand what their current capabilities are, including those for actively managing third-party risks as well as data security and privacy risks. From there, firms can then begin to consider pushing forward with developing innovative products using a structured research and development (R&D) lifecycle. By layering the two efforts together, firms can ensure third-party considerations are addressed throughout the process, and the level of risk management rigor and scrutiny is increased as they progress through the R&D gates.

During our webinar, Protiviti experts guided attendees through the many ways in which fintech companies are disrupting the marketplace and offered a new third-party risk management framework that can help manage the risks inherent with partnering with smaller, startup firms and launching new technology products and services. You can access the free recorded version here, and we recommend a full listen.

For even more detail on how traditional financial institutions can balance the need for speed-to-market for new products with the need for information security and risk management compliance as best practices, refer to our newly published white paper: Enabling Speed of Innovation Through Effective Third-Party Risk Management.

Paul Kooney of Protiviti’s Security and Privacy practice contributed to this content.

Bank Charters for Fintech Companies Top January Compliance News

Steven StachowiczBy Steven Stachowicz, Managing Director
Risk and Compliance

 

 

 

In December 2016, the Office of the Comptroller of the Currency (OCC), which oversees many of the largest banks in the country, released its plans to consider granting special-purpose national bank charters to a broad range of financial technology (fintech) companies, who are engaged in providing technology-driven financial products and services to consumers and small businesses. The idea is not without controversy as policy makers and industry participants alike debate the pros and cons of chartering such companies, and it raises important questions regarding the standards to which these companies will be held and the benefits to consumers such a move will provide.

The OCC plan tops the news in the January 2017 edition of Compliance Insights, and is highlighted there in further depth.

The products and services that fintech companies offer today rival many heavily regulated banking institutions, including in the areas of consumer and mortgage lending, payment services, financial planning and wealth management. Clearly, the OCC believes chartering these companies to be in the public interest, with the potential to both expand financial inclusion and empower customers to take more control of their finances. It is also an opportunity for the OCC to exert greater supervisory oversight of such companies, ensuring that they engage in safe and sound behaviors and treat consumers fairly, while also encouraging financial innovation.

The OCC makes clear that obtaining such a charter won’t be easy – fintechs will have to demonstrate sound business plans, appropriate risk management, and fundamentally strong financial strength and performance to meet the OCC’s high standards. As fintechs weigh the advantages of a charter against these costs, hardly anyone expects a rush of applicants in the short-term. However, with the proliferation of innovative technologies for financial products and services and increasing consumer adoption of these technologies, it is likely only a matter of time before you see the acronym “N.A.” (for “National Association”) at the end of the name of your favorite online consumer lender or payments provider.

In other compliance news:

  • The Consumer Financial Protection Bureau has released its semi-annual rulemaking agenda and announced its fair lending-specific priorities for 2017. Both announcements provide insights to the financial services industry regarding the agency’s rule-making and supervisory priorities in the upcoming year. Noteworthy items on the Fall 2016 rule-making agenda included arbitration, debt collection and integrated mortgage disclosures. In 2017, the CFPB will be targeting any potential redlining of minority neighborhoods, the role of race and ethnicity in mortgage and student loan workout options, and lending risks related to minority and women-owned small businesses.
  • The Financial Action Task Force (FATF) has published its first evaluation report since 2006. The international standards body, designed to develop and promote anti-money laundering and terrorist financing policies, gave the United States high marks, but identified several areas for improvement.
  • India’s effort to crack down on illegal cash holdings by voiding all 500 and 1,000 rupee notes has had the unintended consequence of digitizing the country’s illicit cash flow. The effort, which removed 86 percent of the country’s cash in circulation, has spawned money laundering networks and alternative money transfer systems. U.S. financial institutions should continue to pay close attention to this developing situation and monitor the potential money laundering risks to their institution.
  • And finally, the Federal Reserve Bank of New York is spearheading an effort to find alternatives to the London Interbank Offered Rate (LIBOR) in the wake of evidence that several banks had colluded to report rates favorable to their trading positions. A decision is expected later this year.

All of these issues are discussed in greater detail in the January 2017 edition of Compliance Insights. Links offering a deeper dive into each of the specific topics are also available.

IT Innovation: Does Your IT Budget Have Room for It?

By Ed Page, Managing Director
Technology Consulting

 

 

 

infographic-annual-technology-trends-and-benchmark-study-2016-protivitiOne of the budget struggles chief information officers are continually faced with is reducing operating costs to make room for innovation. And while several studies, including our own, show that they have succeeded in bringing down “lights on” expenditures over the past decade or so, in many cases those savings have been absorbed by urgent non-strategic needs, such as compliance and security, too often leaving innovation to languish.

The consequences of failing to innovate are hardly trivial. The emergence of technology-enabled competitors who, unfettered by legacy technology, are able to develop and deploy new products and services faster and more efficiently threatens to leave behind older, more established companies, and especially those that perennially struggle to build innovation into their IT budgets.

I’ve seen this struggle firsthand in talking to our clients, and our recent benchmarking report, based on the responses of almost 400 C-level technology leaders to Protiviti’s 2016 IT Trends Survey, confirms it.

This dichotomy between the strategic and the urgent is evident in the numbers. While more than half of respondents overall (54 percent) said their organizations were undergoing digital transformation driven by the need for new functionality and innovation, virtually all of their top-10 priorities were security or operations oriented. Only 13 percent of the IT budget, on average, was earmarked for innovation or transformation.

In my experience, companies, and IT departments, fund their most urgent needs. Which means that, even though digital transformation is talked about, most companies are still stuck, budget-wise, in a reactive mode, putting out fires — regulatory, operational, and cybersecurity. These are very real pain points, so that’s where budgets are allocated. While there is an aspiration to transform, other priorities often prevent IT departments from getting where they want or need to be.

There is one consistent differentiator between companies that actually innovate in IT versus those that merely talk about it. The difference is that serious innovators make IT transformation part of their strategic plan and rely on it for the success of other strategic goals and objectives. Very often, these firms view themselves as technology companies, even if others might see them as part of another industry. As the CEO of Capital One, Richard Fairbank, once told investors, “We’re going to need to think more like technology companies and maybe a little less like banks.”

In the absence of a clear plan and executive and board buy-in, IT transformation is just another project competing with a lot of other projects for money. Aligned with company goals and objectives, it becomes an enabling force.

Where such strategic alignment can often benefit an established company the most is in modernizing core IT infrastructure. Management of outdated systems, on which everything else depends, is increasingly becoming the dead weight preventing companies from meeting new challenges and customer demands with agility and speed. CIOs and technology leaders are faced with having to invest more time and resources into keeping these systems up, while at the same time trying to squeeze cost reductions out of them without impacting service levels. In fact, responders to our survey pointed to legacy systems and processes as the number one obstacle impeding IT transformation.

The good news is that a small but growing number of organizations are taking the strategic decision to modernize their aging cores to achieve both increased agility and sustained long-term savings in costs and resources. Among respondents from financial services companies, 70 percent said their companies are undergoing digital transformation (16 percent more than the general population) — perhaps because the field, eagerly entered by emerging fintech companies, is even less forgiving, and because innovative IT structures, once implemented, can create significant opportunities where none existed before.

To be sure, transformation is disruptive, and replacing or modernizing core technology can be very expensive. Both of these barriers can be mitigated, however, through careful planning and a phased approach incorporating newer technologies, more modern architecture approaches and more nimble delivery methods, such as cloud technology, microservices, application program interfaces (APIs), and agile product development and software delivery methodologies.

Once again, real priorities are reflected in the budget, and innovation is unlikely to receive a bigger slice of the pie unless it is seen as a strategic, business project first. While cybersecurity, a key expenditure, will continue to command its share of IT resources, there is a case to be made that these resources can also be used more strategically, efficiently and effectively. We will focus on cybersecurity spend and priorities in a follow-up post. Subscribe to our blog to follow the discussion.

2016 Was an Eventful Year – This Is How We Covered It

As 2016 comes to a close, I want to look back on the events that made this year unique in ways both rewarding and challenging – and summarize the topics Protiviti professionals discussed, and our readers engaged with, here on The Protiviti View.

Perhaps the most seminal events of 2016 with the biggest implications were Brexit and the election of Donald Trump as president. The Brexit was brought about by sovereignty and immigration issues as those who voted to leave the European Union believed the UK – and no one else – should address UK-related decisions and control over its own borders. The U.S. presidential election arose from many issues such as immigration, trade, healthcare reform and jobs, among others.

We covered the implications of these events, both general and industry-specific, in special reports (here and here) and on the blog (here and here). But other events made waves too – record-setting security breaches across industries, including massive unauthorized release of financial data from offshore accounts, and DDoS attacks enabled by the Internet of Things.

In technology, Google’s AI robot AlphaGo defeated GO champion Lee Sedol, and Uber launched its fleet of driverless cars despite some opposition. Both of these events speak to the future of artificial intelligence, an emerging risk we continue to track in our PreView newsletter). Also in technology, the financial services industry seems poised for change and excited by the possibilities of new financial technology in payments, compliance and more.

Finally, natural disasters and viral diseases like the Zika virus created real economic damage, raising questions about resource availability and business continuity planning. We summarized the potential implications of these unpredictable business disruptors here.

Given the flavor of events this year, it is not surprising our top two most read blog posts had to do with cybersecurity and cyber awareness. Our third most popular blog had to do with money laundering and increased regulatory scrutiny in that area.

The posts that saw the most love on social media were submitted by our fraud investigation experts and focused on fraud prevention and fraud risk management. 2016 was a big year in fraud, as the much-awaited Fraud Risk Management Guide was released by COSO and the FCPA launched its Pilot Program. (Also, SEC gave six out of its 10 highest whistleblower awards this year).

Also widely shared was anything related to cybersecurity and the protection of personal identity, an issue that continues to affect billions of people and to which no company or entity seems to be immune.

This is plenty to look back on and think about in planning for the new year. Once again, I want to thank both our readers and contributors for their participation and engagement. We look forward to continuing these conversations in 2017.

Jim DeLoach

Modernizing Core Systems in Insurance: Ten Lessons Learned

John Rao

By John Rao, Managing Director
Technology Consulting

 

 

Like all financial services companies, insurers rely on technology — which changes faster than any other aspect of the business. Core information technology systems, including mainframe technology, are aging rapidly, causing significant problems. These old systems require increased maintenance, which drives up costs, while operating knowledge is at risk of being lost as the workforce with the knowledge to maintain these systems ages and retires.

Older systems cause process and decision-making friction, degrading business agility, which can easily degenerate into strategic risks. Worse, the short-term fixes adopted by insurance companies over the years to postpone modernization mask broader long-term issues, and the patchwork of old and new technology is preventing firms from innovating and becoming more agile, efficient and customer-centric, risking loss of market share.

At the same time, the potential benefits of modernization are compelling: Increased premium growth through improved distribution effectiveness, targeted marketing, cross-selling, expanded analytics, improved customer service, improved pricing, and shorter new product cycle times.

Nevertheless, making the case for modernization can be a tall order because projects of this scale are typically measured in years and hundreds of millions of dollars. Cost and time were the biggest hurdles, cited by 44 percent of financial services executives in a recent Protiviti survey.

With so much riding on a successful implementation, a clear core modernization roadmap is critical. A new Protiviti white paper, Modernizing Legacy Systems in Insurance, makes the case for implementation drawing on the experiences of those who have gone before to help those just beginning the modernization process.

Without going into every detail in this post, here are the top ten lessons learned:

  1. View a legacy modernization program as an opportunity to achieve world-class performance — without this vision, the expense is hard to justify.
  2. Ensure long-term senior executive support and buy-in as required for a strategically-important project of this magnitude.
  3. Begin with the end in mind: Define strategy, objectives, investment, business value, and the target operating model.
  4. Build a business case for change that does not underestimate the change management component.
  5. Establish success criteria upfront and measure success in terms of tangible business benefits.
  6. Establish governance that includes key constituents.
  7. Avoid “paving the cow paths,” or investing in new technology and then performing the work the same old way. Instead, redesign processes for efficiency, service and agility.
  8. Apply proven techniques from leading financial services organizations: Straight-through processing, automation, robotics, data analytics and digitization.
  9. Use a program management office (PMO) and manage the project with discipline, enabling collaboration with key stakeholders and providing constant communication between the teams.
  10. Legacy modernization projects are complex and challenging; they require the “A” team. Obtain outside assistance as required.

Take special note of lesson seven. One of the most common mistakes companies make when upgrading technology is failing to optimize the underlying business processes.

Good questions to ask when developing your roadmap include: Why are we doing this? What is the business case? When should we proceed? Where will the technology be located? Who will help us? How will we manage the project in a risk-aware manner?

Taking time to answer these questions and carefully planning upfront will help to mitigate implementation risk and ensure that your organization gets optimal return on its technology investment.

Read the full white paper here.

Fintech Promises Faster, Easier Payments for People and Businesses

Blockchain, globalization, digitization, cybersecurity, fintech, new customer demands, and more. Money 20/20, the largest global financial industry event focused on payments and financial services innovation for connected commerce at the intersection of mobile, retail, marketing services, data and technology, takes place Oct. 23-26. Once again, Protiviti is proud to be an exhibitor sponsor and speaker at the event.
We will be posting daily dispatches from the event’s sessions, starting Sunday, here and on Twitter. Subscribe and follow us for current commentary, insights and reactions from industry experts as the event unfolds.

 

Jason Goldberg moderating a panel on customer experience at Money 20/20.

By Jason Goldberg, Director, Financial Services Business Performance Improvement

Financial technology, or fintech, firms are promising to revolutionize the person-to-person (P2P) and business-to-business (B2B) payments industry, and are already causing a seismic shift in this sector. On the floor at Money 20/20 this week, some of the hottest discussions are revolving around payments: cross-border transfers, customer authentication and fraud, customer experience, and open APIs and cloud processing specifically are a focus of fintech companies.

Unburdened by regulation and legacy IT systems, new entrants in the payment services space are claiming to provide faster and cheaper transfer of monies, both domestically and across borders, than the established players.

PayPal, the first big shock to the payment industry, was launched in 1998 and for years remained one of the most popular alternatives to using credit cards for online purchases. Today, it is just one of a multitude of person-to-person (P2P) and business-to-business (B2B) payment alternatives being used on any number of devices.

Ironically, the flurry of new technologies and players has lumped one-time industry disrupter PayPal in with traditional payment services, as technology behemoths such as Google, Facebook and Apple have entered the payment space. Seeing the writing on the wall, established players like J.P. Morgan Chase, U.S. Bank, Bank of America, Wells Fargo and other well-known financial institutions partnered five years ago to launch digital payment provider ClearXchange to fend off fintech upstarts. Just this year, ClearXchange began offering a real-time payment option for users who want to avoid the traditional three-day transfer period.

In cross-border payment services, traditional service firms like SWIFT, Visa and MasterCard, are also under threat from new entrants. Upstarts like Align Commerce, Traxpay, Payoneer and others, are relying on distributed ledger technology (DLT), aka blockchain, and virtual currencies to speed up the payment process and make it both secure and transparent. The use of DLT provides a faster, cheaper and trackable mechanism for the transfer of funds. Where a SWIFT transfer may take four or five business days, new entrants can promise transfers within two days and for about half the cost.

These new developments, and our discussion of them, are outlined in a recently published paper, Innovating Payments. All the trends point toward mobile, instant and near-frictionless transactions. But established players are not likely to be disintermediated; they are more likely to embed real-time, P2P functionality within their secure banking apps, and earn fees from other payment interfaces.

The battle for the digital payment market is far from over. Regulators are watching the developments closely, and will surely have the last word on what technologies become widely adopted. As far as consumers and businesses are concerned, the future of payments looks promising.

Money 20/20, Day 3: Get the View From the Inside With Today’s Podcasts

Blockchain, globalization, digitization, cybersecurity, fintech, new customer demands, and more. Money 20/20, the largest global financial industry event focused on payments and financial services innovation for connected commerce at the intersection of mobile, retail, marketing services, data and technology, takes place Oct. 23-26. Once again, Protiviti is proud to be an exhibitor sponsor and speaker at the event.
We will be posting daily dispatches from the event’s sessions, starting Sunday, here and on Twitter. Subscribe and follow us for current commentary, insights and reactions from industry experts as the event unfolds.

 

Ed Page, Managing Director, Technology Consulting for Financial Services, on IT Trends (6:08 minutes)

Share on Twitter

Nirav Shah, Director, Risk and Compliance, on Regulating Fintech (3:03 minutes)

Share on Twitter

Nirav Shah, Director, Risk and Compliance, on Good vs. Bad Innovation (4:46 mnutes)

Share on Twitter

Robert Ferguson, Senior Manager, Business Performance Improvement, on Customer Stickiness (3:21 minutes)

Share on Twitter