Banks and insurers are caught between two fires. On the one hand, there is the pressure to improve their cost/income ratios while making their digital transformation a success. On the other hand, they need to patch up ever-expanding internal control frameworks to bring them in line with increasingly demanding regulatory requirements. The result: high overhead costs, and stifled innovation. It’s time to make internal controls and frameworks more flexible, more transparent and more cost effective.
For a while now, risk and compliance professionals in the banking and insurance industry have seen the writing on the wall about the challenges facing their profession today. From implementing ever more stringent control requirement in legacy systems, to having to manage error-prone administrative control chores. From managing gaps in the three lines model, to having to improve cost/income ratios. We live, as they say, in interesting times.
Challenge: Increased control requirements in a patchwork of legacy systems
Banks have been tasked with ensuring their customers’ financial wellbeing, as well as having become society’s gatekeepers against money-laundering, fraud, and fiscal irregularities. Moreover, the barrage of regulatory requirements shows little sign of abating.
Banks responded to the emphasis placed on risk management and internal controls by erecting complex control frameworks to keep abreast of assorted financial malfeasances. These frameworks are often implemented in a less than effective way – in no small part because many banks and insurers operate a patchwork of legacy systems.
Challenge: Controls at the operational level are inconvenient bolt-ons to day-to-day work
In our interactions with clients, we often see a large amount of control and assurance activity in the second and third lines of the classic three lines model of risk management. The controls required at the operational level often take the form of periodic ‘bolt-ons’ to day-to-day activities, like end-of-month reports, spreadsheets and other administrative tasks.
In fact, it’s not uncommon to see control frameworks requiring over 1,000 controls – many showing overlap. All of these controls need to be administered, registered and reported. They then need to be monitored and checked (often manually) by the second line. More administrative chores.
Challenge: Fewer resources lead to short-term gaps in the three lines
The Covid-19 pandemic has spiked the demand for liquidity in society, while banks have had to administer the Dutch government’s NOW-scheme and invest in their financial restructuring and recovery departments, as a significant number of bankruptcy filings is to be expected. Of course, all while a substantial chunk of staff worked from home. It hardly comes as a surprise that, in the three lines model, many banks have taken to moving resources from the second line of defense to the first. The people who used to monitor the checks carried out on the ground, are now actually doing those very checks. This leaves a vulnerability at the second line of defense, waiting to be exploited by those who wish to commit fraud.
Challenge: Pressure to lower cost/income ratios
More structurally, banks are under pressure to lower their cost/income ratios. Fintechs are outperforming them on primary processes, while investors, public and private, demand a higher return on their investments.