Financial Services Risk Management Issues: Old Wine Products in New Bottles Technology

Timothy R. McTaggart, Partner, Pepper Hamilton LLP

Mobile banking, peer-to-peer lending, use of Cloud Computing, proliferation of social media, and the use of Big Data, all can have novel impacts on the operation of financial services entities regulated by federal and state regulators. This article describes several significant regulatory perspectives on risk management as the financial services industry adapts to providing its traditional products (e.g., “the Old Wine”) with new technology (e.g., “the New Bottles”).

Here are the trend lines:

1. Enterprise Risk Management: The bank regulators want to see an enterprise-wide risk management system in place at regulated financial institutions. The regulators want systems and personnel to operate on an integrated centralized basis, across functional lines and outside of narrow organizational “silos.” If there is not a centralized Chief Risk Officer function in place, the regulators will want to see a centralized risk management and control committee established.

2. Risk-Based Assessment, Not Zero Tolerance: In general, the bank regulators will be satisfied with policies and procedures designed to manage the organizational risks scaled to the severity of the potential risk, but without seeking a complete 100 percent management of the risk. I quickly add that the overall management of risks will need to be very close to 100 percent, however. Nonetheless, there will be some risks that go undetected and provided that the internal controls and risk management systems subsequently detect and address the errors or weaknesses, the bank regulators (and external auditors) likely will be satisfied.

By contrast, even if there is a non-material risk but it is one that continues to occur repeatedly, or even worse, it is an error previously noted by the regulators in an examination report, bank management (and, by extension, management at vendor IT firms for technology issues in outsourced arrangements) will likely be downgraded/criticized for not taking action to respond to an ongoing “fixable” problem.

Check Out: Top Risk Management Solution Companies

Additionally, there are some statutory requirements with respect to certain consumer finance laws that provide a close to zero tolerance level for any type of calculation or related errors.

3. Speed: The marketplace is faster today due to social media and other communications advances. Financial institutions are obligated to guard their organizational reputations and to provide products and services that maintain their reputation among consumers and investors. Consequently, financial institutions are required by their regulators to closely manage their vendor relationships, especially technology providers.

For example, a financial institution needs to be able to “triage” a situation that impacts its reputation due to malfunctioning technology or due to breaches of private information. The speed at which the news of a problem can spread is now much faster in this networked environment as compared to earlier generations when many of the senior regulators were first trained as supervisors. The speed in the marketplace puts added pressure on industry and regulators to get the problem resolved as soon as possible and not to unleash another round of issues with poor execution in addressing the initial problem.

The best preparation for financial institutions to respond to the increased pace and speed is to arrange in advance of a crisis to have a single point of contact for media inquiries, for regulatory inquiries, and for investor inquiries. The financial institution, along with its technology vendors, as part of their ongoing assessment of the risks involved in the business relationship between the parties, need to evaluate various “What If” scenarios to make sure that the necessary training on both sides are implemented and ready to be used to assist each firm when a crisis develops.

4. The Camel has more than Two Humps: It’s All Risk All the Time: Historically, bank regulators examined banks for compliance with Capital, Asset quality, Management strength, Earnings and Liquidity, the so-called “CAMEL” review. Over the last several decades, the bank regulators continue to use these baseline evaluations but also have extended the range of risks to items that are not so heavily oriented solely to financial and business costs. Regulators have asked financial institutions to look beyond interest rate risk to also consider legal and operational risk, regulatory risk, and compliance risk.

“The speed at which news can spread is now much faster in this networked environment as compared to earlier generations when many of the senior regulators were first trained as supervisors”

In short, the regulators have shifted the focus from a determination of whether a specific product is “profitable” by solely looking at the associated revenues and costs, and instead asked whether there are some hidden risks or costs pertaining to operational, compliance or reputation risk that might arise in due course. This is now the standard approach for evaluating risk and the “old way” of simply measuring marginal revenue versus marginal cost is no longer the only inquiry necessary.

5. FFIEC Guidance on Social Media: On December 17, 2013, the Federal Financial Institutions Examination Council (“FFIEC”) issued guidance on “Social Media: Consumer Compliance Risk Management Guidance.” Social media is broadly defined in the Guidance and the definition is intended to evolve over time. However, notwithstanding the breadth of the social media definition, the Guidance clarifies that e-mails and text messages are not considered social media unless those messages are further linked with social media channels, such as Facebook.

The Guidance is not intended to impose any new requirements on financial institutions. The Guidance instead details how the existing legal and regulatory requirements must be followed when social media is used in the financial services marketplace. The Guidance also contains a strong message for financial institutions to monitor social media to stay current on commentary about their respective institutions. Consistent with the points noted earlier in this article, the Guidance expects financial institutions to have a comprehensive risk management program to address and control the broad spectrum of potential risks related to social media, including compliance and legal risks, reputational risks, and organizational risks.

6. Conclusion: The critical themes that emerge from the regulatory trend lines are as follows:

• Board and senior management need to be actively involved in risk management and any material reporting of errors/concerns.

• Financial institutions must closely review the selection and management of third-party relationships.

• Employee training must be developed to support the risk management process.