By Henning Soller, Malin Strandell-Jannson, and Marie Wahlers
The current COVID-19 crisis has significantly accelerated the need for financial institutions to adopt innovative technologies. Indeed, customers had no choice during the lockdown but to migrate to a digital-only world.
Digital technologies are a major enabler of more efficient, more effective, and thus less risky operations in the financial sector. However, this reliance on technology carries associated risks—reputational, legal, and financial—that have also risen drastically. Before implementing new solutions, institutions need to clearly articulate their risk appetite and then focus on managing that risk by promoting a culture of vigilance and compliance. Financial institutions that fail to appropriately address technological risks may face significant liability, since the legal and regulatory standards for technology-risk management are becoming increasingly stringent.
Institutions will have to balance the benefits of technological advances with the challenges of risk management. In our experience, three key components are equally essential to striking this balance.
1. Establish a new risk strategy and culture
When embedding new technologies into the organization, financial institutions need to determine acceptable levels of risk, develop a set of mitigating actions, and weave all of these elements together into a clear change story to mobilize employees. Once the aspiration has been articulated, it can be further cascaded and communicated within the organization.
The potential impact can be demonstrated by how technology can streamline risk-management compliance. In the past, most regulators relied on paper-based or semi-electronic report submissions to manage banks’ risk appetite. Today, we see a huge shift toward using data cubes1 to interface directly with bank IT and data. This new reporting approach significantly eases reporting for banks, since data need to be provided just once in the prescribed format. But this technology also brings pitfalls, since the risk of inaccurate data submissions, inappropriate interface protection, and IT instability all increase substantially. One European banking group, for example, had to change its entire IT system for financial reporting, since manual corrections led to severe errors when data were submitted to the central data cube.
2. Ensure attention, knowledge, and support at both operational and board levels
For financial institutions to function more like technology companies involved in the financial industry, they will need to dramatically increase their knowledge of technology and its risks at the board level and throughout the enterprise. In recent years, financial regulation (such as BAIT in Germany) has increased its focus on the technological expertise of financial institutions as well as on their management, a development that will continue over the coming years.
From a strategy perspective, organizations can enrich and sustain their board’s understanding of technology and its associated risks through more frequent alignment meetings combined with a curriculum of boot camps and further training. From a legal perspective, board members may face increased liability risks if they fail to devote sufficient attention to managing the risks of new technologies.
This mindset shift at the board level must be accompanied by the appropriate focus at the operational level so that the risk, compliance, legal, and technology teams can lead this change across the organization. For example, risk colleagues will need to become more savvy about modern technologies and their potential risks, such as data breaches. The same holds true for legal and business colleagues, who can often be overly reliant on IT and vendors for guidance on technology risk. Setting up a comprehensive academy will serve to improve and sustain knowledge within the organization.
Similarly, new knowledge and understanding must be nurtured and supported by a much more collaborative work approach. In practice, changes should not be led by business, implemented by IT, and overseen by support functions. Instead, small cross-functional teams should be formed to deliver results end to end.
Take know your customer (KYC) for verifying a customer’s identity, which is primarily a compliance imperative for any bank. The business side needs to understand and support the process of compiling a portfolio of relevant customer information, while both front-end and control functions need solid technology expertise to guide IT in developing a complete solution. This does not simply mean using e-KYC tools wherever possible. Indeed, KYC is a perfect example of how innovative technology is not only a source of risk but also an essential tool to manage the burden of new regulatory requirements that cannot realistically be addressed without massive IT support.
3. Shift the organizational mindset from governance to reinforcing desired behavior
Compliance controls must go beyond defined standards to enable and promote specific behaviors. For example, General Data Protection Regulation (GDPR) is intended to ensure that personal data are handled with care and in accordance with an individual’s rights and privacy. GDPR does not require organizations to document every time personal data are used, but they must handle personal data with care and transparency. However, financial institutions frequently interpret and respond to such regulations by adding (possibly manual) governance controls that do not reduce risk but add to the regulatory burden without altering behavior.
Similarly, the frequently inappropriate and noncompliant use of new technologies can lead to enormous challenges and culture clashes between relevant stakeholders. A typical example is a large banking group that is forced to halt all development of advanced-analytics algorithms that use payment data because the legal team has considerable doubts regarding GDPR compliance.
One popular remedy is to automate security enhancements. A leading investment bank no longer relies on an extensive governance process for core-system updates. Instead, it uses automated patching when updates become available. This approach has substantially enhanced security while alleviating the need for a full-scale governance team for patch management.
Overcoming culture clashes involves altering mindsets: second-line functions should not reflexively pursue additional governance and documentation but instead design processes and establish standards with an eye toward changing behavior, such as using personal data only when necessary. The small cross-functional teams can then assume the task of embedding these guidelines into the fully automated checks that modern technology enables. One example is having personal data identified within the code and cross-checked with the GDPR’s process inventory. Automated checks must be positioned at the beginning (rather than the end) of the value chain because they incentivize the first line to fulfill standards. Otherwise, delivering new functionalities or completing the process will prove impossible.
Integrating these three components into a coordinated effort will require a new strategy, new investments in digital literacy, and a new culture and mindset. When all these elements are present, financial institutions can confidently manage the risk associated with innovative technologies.
Henning Soller is a partner in McKinsey’s Frankfurt office, where Marie Wahlers is an expert; Malin Strandell-Jannson is a senior expert in the Stockholm office.
1 The grouping of data into multidimensional matrixes.