Rethinking risk after the SVB collapse
Joan McGowan and Tom French, both from SAS, join us on the BAI Banking Strategies podcast to talk about how the recent banking crisis has reframed how the industry contends with risk.
What are the key risk lessons from this year’s sudden failure of Silicon Valley Bank and several others?
Joan McGowan and Tom French from SAS join us to offer their advice to banking institutions on how to better manage the many risks they face.
A few takeaways from the conversation:
- Given the speed at which negative events can take place, McGowan says banks need to be able to make emergency decisions more in real time.
- Decision-making will also have to be decentralized from upper management to closer to the business front lines, and with more reliance on early-warning signals.
- French’s pro tip is for banks to closely examine their end-to-end customer journey to identify weaknesses that could be exploited by enterprising fraudsters.
INTERVIEW TRANSCRIPT
So Joan McGowan, head of U.S. financial services consulting, and Tom French, advisor for fraud and financial crimes, both of you at SAS. Welcome to the BAI Banking Strategies podcast.
MCGOWAN: Thanks, Terry, and it’s great to be back with you.
FRENCH: Thanks, Terry. Glad to be here.
So, Joan, a lot of your work focuses on the risk management side for banking institutions, and risk is certainly a front of mind issue for the industry following the collapse of Silicon Valley Bank and Signature Bank. So when you look at those institutions, what are your high level takeaways so far as how they manage their risk exposures?
MCGOWAN: Poorly would be my immediate answer to your question. In summary, and I know we all know this because it’s been well dissected in the media, I would say a failure to manage their asset liability risk, their exposure to concentration risk, one-dimensional management of interest rate risk, bad investment decisions, and generally poor risk management leadership all played a significant role in the collapse of SVB, and Signature, and Silvergate, but it does go much deeper. Banks must prioritize building out a much more robust governance and risk management best practice. It’s easy to tick the box and then blame the deregulation, but in the end, the buck does stop with the board of directors. I would also suggest to run more simulations in quantity, frequency, or trajectory, and put in place early warning systems. And finally, regulators and thus banks aren’t looking beyond credit risk. We’ve got to go far beyond credit risk.
So, of course, what happened at SVB, and Signature, and Silvergate, as well, not to mention Credit Suisse in Europe, has created a lot of concern that other U.S. banks, particularly the regionals with less than $250 billion in assets, that they may also have catastrophic risks lurking in their operations. So given that you live in this world every day, Joan, how are you looking at the potential for hidden or unappreciated risks in the U.S. banking system?
MCGOWAN: They probably do have quite a few hidden maybe catastrophic risks that they know little of, but it’s very difficult because these risks have so many interdependencies and interconnections outside of the bank’s control or their current visibility. The only way to get ahead of such risk is through data analysis and early warning systems. For banks, particularly the regional banks, this requires an awful lot of external data sets which they don’t currently have access to. On top of the extra data sets, there are known potential catastrophic risks on the horizon, and the most obvious one being if they have a concentration, say in the commercial real estate space, we’re seeing early indications of a spike in delinquencies, and for obvious reasons, lower occupancy rates following the pandemic at offices, particularly in the major cities, and higher interest rates. And this can lead to unrealized losses, and this will weaken the bank’s future ability to meet those unexpected liquidity needs. And again, the only way to react and hopefully prevent another crisis is to watch the data. If banks rely on the one-factor interest rate models, for example, they’re really seriously at risk in the current environment. Their valuations are wrong, their capital adequacy calculations are wrong, hedges are wrong, and the correlation of rates to let’s say the commercial real estate are completely ignored, so it comes down to getting the right data in place and having that in real time.
Tom, your specialty is in the fraud arena, and fraud certainly ranks among the most significant risk exposures for banks and credit unions. What do you see as the top fraud-related risks for banking institutions these days? And as you look ahead, what do you see as emerging fraud threats that that will likely grow in their impact in the coming months and years?
FRENCH: I see three distinct areas of fraud risk today. Number one, what’s old is new again, and that’s good old check and deposit fraud. Number two, new account fraud. This is where a crook fraudster opens up a new deposit account or a new credit card account. And three, identity-related fraud. And this includes a basket of identity theft, account takeover, synthetic fraud. And just a quick back step for those who are unaware, synthetic fraud is basically a made-up person. It’s Joan’s first name, it’s my last name, it’s Terry’s social security number and somebody else’s birthdate. It’s a made-up person, and that persona then gets used to open a new account and then deposit a check, move money around, and all this can be done through the digital channel. You also asked what will grow in the coming months and years. My crystal ball sees that there’s a lot more to come in the area of scamming: more variations, more volume. And if you think about the introduction of ChatGPT and the energy that that brought in the last several months, a risk manager will be thinking about how can ChatGPT automate, for example, a scam campaign. And so this all leads to what I’ve coined as the “industrialization of fraud,” and that’s what I see in the coming months and years.
One of the most striking parts of the Silicon Valley Bank and Signature Bank failures was how fast it all happened. In SVB’s case, there are reports that depositors were running for the exit at the rate of $500,000 a second, and at that rate it doesn’t take long to empty the proverbial safe. So, Joan, I want to ask you about the risks that have developed as the speed at which banking works increases. And Tom, maybe you could also weigh in on this speed variable from the fraud side.
MCGOWAN: It’s quite scary, really. Tom used the word “industrialization. I’m going to pick up on the word globalization. We really do have a connected world and that means connected risks and decisions made in real time by machines. So lots can go wrong and lots of things do go wrong without eyeballs on them. So let’s take a well-known risk and that would be AI bias decisions. These decisions can trigger and lead to reputational damage and trust problems, just as a simple example. And then if you think of the complexity of operational risk, that includes cybersecurity, technology issues, third-party relationships, geopolitical issues and natural disasters. These are huge risks and that’s just part of the list. Now if I just take one example, banks have growing, growing partnerships. The ecosystem’s opening up. If one of those partners makes an operational mistake, and we see this happening quite regularly, it becomes your mistake, it becomes the bank’s mistake. Having insight into that is really tough.
FRENCH: From my perspective, in real time and looking at transactions in real time, fraud practitioners have been facing real-time payments for years and years. If you think about wires and what all that involves, and Joan picked up on industrialization and globalization, wires are tough to track and follow, and you’ve got FedNow actually coming online very soon. So fraud practitioners have been monitoring real-time payments for many years, and what we’ve learned is that you need to be in the transaction stream scoring every transaction as a probability of fraud risk. And that means looking and monitoring the monetary transaction itself, but any non-monetary activity that may happen prior to the actual execution of funds movement. You’ve got to evaluate all of that. So bottom line, fraudsters have become much more sophisticated and they are using real-time payments rails every day.
From the risk perspective, be it fraud risk, be it financial risk or operational risk, how should banks be thinking about the downside of this near-time speed at which transactions take place in modern banking that Tom was just talking about? It seems that the prime directive for banks has been to make things faster because that’s what customers want and because the technology to do that is possible, but what does this imperative mean for the risk managers? Is there a point at which they won’t be able to keep up? Maybe Tom, could you start with that on the fraud side?
FRENCH: The fraudsters had a field day, and literally a capital investment, during the pandemic when a lot of money was pushed out, and fraudsters were ready to take advantage of that. And they are using and building out automated schemes to really pump up the volume of fraud attacks. And so executive risk managers must recognize that the fraud tools that worked 10, 15 years ago are not enough for today’s real-time environment. The risk posture must be reevaluated and must change, because where we’re headed, in my opinion, is a real machine-versus-machine type of environment where fraud analysts and data scientists will be deployed for financial institutions to really understand what is being coordinated with the fraudsters and how they are all connected.
MCGOWAN: I would absolutely agree with Tom here. The risk managers just don’t have the tools in place today and the status quo will no longer work. I think critical data is coming in way too slowly, and also within the risk world, the right hand doesn’t often know what the left hand is doing. Risk and finance is not fully integrated and it’s very, very difficult for incumbent banks with legacy systems and siloed operations to get the transparency that they’re going to require to see where the leaks are happening. And again, it’s all in real time and risk just doesn’t necessarily work in real time. So I’m going to emphasize that we’ve never seen this level of a hyper connection at such speed, and speed really has become the new norm. You don’t have time to get the chiefs in the boardroom, you will not have time to put in place the current business continuity plan. I mean, SVB wanted to sell itself – it just did not have time to do it in 48 hours. So all the old war games and the business continuity plans, they’re now out the windows. Again, speed is the new norm.
As you explain it, Joan, it makes a lot of sense that banking institutions should have special tactical teams that could spring into action and maybe make those on-the-spot decisions in scenarios where time is really tight, but that goes against the longstanding culture of deliberation and caution that prevails at banks and credit unions. What would you say to an institution that wants the ability to move faster, but has those cultural obstacles standing in the way of being able to actually do that?
MCGOWAN: Yeah, it really does go against the nature of the banking system and the risk averseness of what a bank should be. I fully agree, Terry, but there is no choice. Important decisions, going forward, these decisions are going to have to be made in real time by the person in situ, and that probably means it’s not a C-level or a senior executive. The decisions are going to have to be democratized – full decentralization of these decisions. And that to me requires, again, those early warning signals, and these signals have to be accessible to everyone in the bank, usually through reports, which should be continuously updated in real time, and behind that you have an action plan that’s well thought through, but the decisions are going to be made by, again, the person in situ. And such critical decisions as communication, turning off operations, reaching out to the Fed or the regulators, these are big decisions that now have to be made by the crowd. It’s a big change.
Tom, looking beyond the cultural obstacles to being faster-acting, there are other impediments as well, and an obvious one that comes to mind is the need to make the business case for doing something new, and then getting all the required approvals, and then getting that new thing into the budgeting cycle. When it comes to fraud, of course banks want to get that number down as close to zero as possible. What do they need to do to realize that goal?
FRENCH: Fraudsters have become much more sophisticated and those who fight fraud must also be more sophisticated, as well. At the 10,000-foot mark, the banks that are seeing decline in fraud are the banks that are actually willing to commit investment dollars in their fraud prevention and detection strategies and technologies. It requires more than a single investment – that’s what I want to hammer on – into one technology because once a vulnerability is plugged, the fraudsters will just simply move to the next one. It’s a game of whack-a-mole. So what it requires is a commitment to basically a holistic fraud prevention program. Because if the dollars aren’t invested in the fraud detection and prevention technology, the dollars will end up in the hands of the bad guys as fraud losses. Executives have to really understand and align their fraud ecosystem investments to the company’s strategic technology plan, and it must be done on a yearly basis.
You both have been offering a lot of solid advice about what banking institutions can or should be doing to get better results on the risk front. I want to finish up our conversation by asking each of you for a single parting thought. What do you think is the most important takeaway for bankers in narrowing that gap between where they are now in managing risk and where they want to get? Tom, maybe you could start.
FRENCH: Managers and executives need to do a couple of things – review their end-to-end customer journey from the aspect in the context of where and when a fraudster might take advantage of a product or a service. They need to prepare for current fraud risks, emerging fraud risks. They need to take into account the customer experience, whatever business-enablement capabilities are needed, and they need to have a capability stack of fraud detection tools that will keep consumers and clients both safe.
MCGOWAN: From a risk perspective, it goes beyond the one domain where Tom is talking about fraud. It’s across every aspect of the enterprise, and there really is no longer a single playbook for such a crisis or a future crisis and I think we’re back at the drawing board. I really think there’s an immediate need for some level of early warning systems, not only across the risk group, but across the enterprise. But beyond that, you need to have accessible real time reporting that is easily accessible, and then you need to have a program of what to do. You can’t leave the decision to the person in situ if you haven’t told the person how to plan that decision, what those actions will require.
Joan McGowan and Tom French from SAS, many thanks again for joining us on the BAI Banking Strategies podcast.
FRENCH: Thanks, Terry.
MCGOWAN: Yeah, thank you, Terry.
