Proceed with realistic risk and compliance management practices as your institution moves into new products and services and you may turn the current confusion about Washington’s mindset into opportunity.
Since January 20 hardly a day’s gone by without this question from a bank or fintech CEO: “How should I react to what’s happening in Washington?”
Much remains uncertain, but when it comes to innovation it’s clear to me that we’ve moved from a “no” environment to a “yes” environment. So this is the time to go full steam ahead with what you want to do.
What’s the key to getting that right and building a long-term sustainable business? Reimagining your risk management program.
Please note: Those who throw risk management and compliance out the window will predictably get into trouble. After all, regulatory risk is only a small portion of the risks banks face. And it’s pretty likely that the seeds of 2029 enforcement actions are being sown today.
But there’s a once-in-a-generation chance to rethink risk management, and a new initiative is the ideal place to start.
I suggest a four-step approach.
1. Make sure risk management focuses on areas of real risk.
Make sure that your planning and new approval processes focus on the big questions: What could go wrong? How much damage would be done if it did? How confident are we that we can put in place the controls needed to bring that risk within our tolerance?
Too often, I see risk assessment and new approval processes that, often with great intentions and sometimes encouraged by regulators, focus more on scoring risks and coming up with an aggregate overall risk score than on substantive risk analysis.
Don’t kid yourself. It’s of course great to quantify risk where we can. However too many risk assessment methodologies give false comfort by rating risk categories on a vaguely defined 1-5 scale and calculating an overall risk score that gives an illusion of quantifying risk.
There’s an alternative to this charade.
Years ago I worked with a company that took an original, quite effective approach to risk management for new initiatives. They’d gather about 25 senior people from both the first and second lines of defence (the front line and the risk management and compliance functions, respectively) to discuss the proposal. At the end of the discussion, the five most sceptical people were given 30 days to convince the others not to move forward, secure in the knowledge that senior management valued their efforts.
Thanks to these devil’s advocates picking holes, in the cases where the company did move ahead, it had a high degree of confidence that it had thought through everything.
2. Don’t be scared of what regulators will do if you stop or change a process that isn’t working.
If a process is inefficient, re-imagine it. To be clear, no one wants money laundering, but anti-money-laundering compliance is an area where I often see a lot of inefficiency. In particular, too many banks treat the calibration of models as a one-way exercise that can lead to doing more but not less.
In one bank last year, I saw an alert generated by $1,500 of routine domestic transactions. When asked why, the team told me that they felt they couldn’t tell their regulators that they were eliminating rules or raising monitoring thresholds.
Even at the time this struck me as an underestimation of the many thoughtful, dedicated people working in banking regulatory agencies.
But in the current environment, everyone should be looking at what risk and compliance processes can be made more efficient and how to free up resources for more substantive, higher-order work.
One thing that hasn’t changed: Make sure you maintain a clear audit trail of the rationale for any changes made.
3. Embrace human-in-the-loop artificial intelligence.
Biden Administration regulators were very careful not to draw any red lines about the use of AI in financial services. However, regulated firms were quick to spot their evident discomfort and as a result, many moved at a more cautious pace than they otherwise might have.
Better tools for risk and compliance is a great place for firms to start to innovate, both to augment the parts of oversight where humans have blind spots and to free up resources for more proactive risk management work. Promising areas for that include:
• Policy and procedure development and review. No one in their right mind is going to ask ChatGPT to write their bank a policy. But even the deepest Reg E expert may struggle to remember to make sure that section 1005.10 (a) (1) (iii) on readily available telephone lines is adequately covered, especially when tired, hungry and racing to make family dinner. An AI tool with a well-curated library of applicable regulatory documents could help humans deliver better policies more efficiently.
• AI agents for level 1 alert review and the initial stages of investigations. I’ve seen compelling evidence that some financial crime teams have gotten to the point where AI outperforms humans at the triage of alerts. Those teams invested time to do this the right way through parallel working to build up the evidence base that the AI agents delivered superior outcomes and invested time in feedback loops. They are now reaping the benefits in freeing up more resources to focus on higher-level investigative work.
• Model validation. A number of promising startups are working on AI-based model validation tools. Some of those allow model builders in the first line of defence to see results in real-time and make tweaks in advance of the second-line of defence review. This allows for faster iteration of model development and making the model validation process more efficient for both the first and second lines.
4. Automate quality assurance and testing.
Typical approaches to QA and testing assume that human review is necessary. That’s true for some things, but an increasing number of checks can be performed to a high quality in an automated fashion at a negligible marginal cost.
Now is the time to lean into ways to make risk and compliance more efficient and effective through automation. And where human judgment is needed, AI may increasingly be able to identify samples that appear anomalous — which would allow QA and testing to be risk-based, versus having the whole population chosen by random sampling.
See-through today’s confusion for the opportunity: We’ve all had moments of frustration that so much risk management and compliance is kabuki theatre rather than substance. I’ve lost track of the number of 200-page risk assessments I’ve reviewed that told me nothing substantive about risk.
This is an amazing — perhaps once in a lifetime — opportunity to refocus your risk management resources on addressing substantive risks. Don’t let the opportunity to make that real go to waste.
Source: THE FINANCIAL BRAND
Recent Comments