How to manage operational risk in banking during times of rapid change

The unprecedented disruption of COVID-19 has changed how consumers interact with banks; there’s been a 20% increase in digital engagement levels and a halving in the use of cash. Many banks have also needed to rapidly meet the demand for new services such as ‘Interruption Loan Schemes’ to support those hit hardest by lockdown measures and, like many organizations, are operating with a partially remote workforce. Much of this change could remain even after the pandemic; one-third of retail banking customers plan to increase their use of digital banking as a more permanent shift.

As such, banks need to meet this new set of demands both in the short and long term. However, as a sector that’s built upon legacy systems, change — particularly rapid change — can be difficult to implement. The systems and processes — as well as the procedures, policies, and controls that banks employ to carry these out effectively — must be highly reliable and secure to maintain regulatory compliance and reduce the operational risk that comes with doing things differently. Any change must, therefore, be implemented carefully and with caution, but in the current climate, that cannot come at the expense of being able to respond quickly to customer needs. Banks must find a way to balance speed with managing the risks that accompany change, both now and in the future.

Ongoing operational risks

When it comes to operational risks, security is a primary concern. Banks are founded on the assumption that they provide integrity and confidentiality in customer dealings, protect customers from fraud, and ensure their details are not shared inappropriately. However, COVID-19 has seen a rise in digital transactions, in turn heightening security risks. With more transactions taking place through online channels, it becomes harder to spot suspicious or fraudulent behavior, and there is no absence of fraudsters taking advantage of the situation to target banks and their customers.  

Another key area of operational risk is third-party collaboration. Whilst this can help banks respond quickly, cut costs, and offer more innovative banking services, it can also expose them to increased risk. Compliance and security can be impacted by third-party negligence, but so can the availability of a banks’ service. If a third-party’s product or service that is supporting the bank’s own offering does not work as expected, then consumers might not be able to access that offering at all. If customers are unable to access crucial financial services at any point either now or in the future, it could mean serious reputational damage for the bank. So, how can these risks be managed?

A digital tourniquet

In recent years, some banks have attempted to navigate the need for rapid change and the risks that accompany it by creating specialist digital teams. These teams are ringfenced away from the rest of the bank to reduce operational risk and remove any constraints to innovation. However, this often prevents innovation from reaching the wider bank, which still operates on monolithic technologies and systems. As such, innovation can wither at the edge and fail to deliver real impact for the bank and its customers.

Adding to these challenges, many banks are also battling with bottlenecks to innovation; 60% of IT leaders within the financial services sector reported they were not able to deliver all of the projects they committed to last year. This does not bode well for a time where rapid response and completion of new projects is key. Banks need to find a way to overcome these constraints, without creating unacceptable operational risk.

Accelerating change through flexibility

API-led connectivity can provide the solution that banks are looking for, allowing them to connect applications, data and devices without tight couplings that lead to increased risk when change is implemented. APIs can effectively act as gatekeepers for data or processes, providing a natural place to apply security controls, and maintain awareness of who is accessing resources and how. For example, this can be embedded in APIs for employee and customer-facing processes, so threats and unusual patterns can be identified early and resolved. For instance, if a customer account is accessed from Italy but the bank knows the individual is based in the U.S., it can act immediately to protect the customer.

APIs can also provide a secure, standardized mechanism for onboarding and working with third-parties as well as data-sharing within those relationships. Regulators have standardized some aspects of that in the EU PSD2 directive and the UK’s CMA Open Banking regulation. Finally, once a bank’s data is exposed in a secure, governed way using APIs, it can be more easily harnessed in new customer-facing applications within a cloud environment to meet growing demands and ensure services remain highly available.

Putting APIs to work

One bank that has adopted this approach is HSBC, which has developed an API strategy to support its adoption of cloud platforms, which increase the availability and scalability of its systems. The bank has built many APIs that expose its core capabilities in a multi-cloud application network. This unlocks legacy systems, making them available to support new services and enabling the bank to bring new offerings to its customers more rapidly. They also help to enforce policies related to security, providing the capability to feed downstream online fraud detection systems.

With the banking landscape and consumer behavior changed — possibly forever — by the ongoing pandemic, it’s clear that banks need to have the capability to rapidly respond to new demands as and when they arise. By harnessing API-led connectivity, banks can support security, availability, and third-party collaboration, whilst also managing any risks that may arise along the way. By taking this approach, banks will future-proof themselves to cope with this unprecedented disruption in the short-term and position themselves to thrive in a future that presents many uncertainties.

For more on how to become an agile bank with MuleSoft and Salesforce, checkout our Achieving a unified banking experience with MuleSoft and Salesforce webinar.



We'd love to hear your opinion on this post