Embed Size (px)
Citation preview
THE PAYMENTS INSTITUTE — July 20-23, 2014 Emory Conference Center Hotel, Emory University, Atlanta, Georgia
Norman Robinson, AAP
President & CEO
EastPay, Providing Payments Expertise®
Principles of Risk Management
2
Agenda
• Risk management terminology and concepts
• The risk management lifecycle • Define risk categories and elements • Define enterprise or operational risk • Define cross-channel risk • Review • Discussion
• Understand and recognize the elements of risk, including strategic, liquidity, reputational, fraud, credit, transactional, compliance, operational, cross channel)
• Understand how these risk elements apply
across payment channels
Learning Objectives
3
4
5
6
Five Steps to Risk Management 1. Identify and understand your major risks
2. Decide which risks are natural
3. Determine capacity and tolerance for risk
4. Embed risk in all decisions & processes
5. Align strategies and the organization around risk
Risk
7
Payments Used to be simple
Banking Circa 1970
Cash
Checks Wire Transfer
8
Payments are now more complex
Banking Circa 2014
Cash
Checks
Wire
Transfer
ATM’s
Debit Cards
Credit Cards
ACH
Remote Deposit
Virtual
Mobile
Risk Categories
1. Financial Risks
2. Management Risks
3. Operational Risk
9
1. Financial Risks
• Interest rate – Deposit terms and rates
• Price – Non-interest income
• Liquidity – Deposit operations fund the bank
10
Interest Rate
• Asset Liability Committee (ALCO) in place • Assets = ? • Liabilities = ? • Spread • Impact on earnings today? • Impact on earnings next year? • Stress tests • Emphasis on Capital
11
Financial Risks
Pricing
• Direct impact on earnings • Missed opportunities • FI’s philosophy • Customer relations • Market relevance • Regulatory intervention
– Overdraft programs – Durbin amendment – Dodd-Frank Amendment 1073 – CFPB
12
Financial Risks
Liquidity
• Deposit operations provide the overwhelming majority of funding for loan operations
• Interest rates and pricing impact liquidity • Critical to success of the bank
– Many recent failures were liquidity driven
13
Financial Risks
2. Management Risk
• Strategic risk – Technology as an example
• Credit – Deposit operations
• Reputation – Customer service
• Business/Legal – Contracts/Agreements
14
Strategic Risk
• Flawed or failed strategies • Deployment of technology • Impact on financial performance • Bleeds over into other risks or directly
impacts them – Data breaches – Reputation risks
15
Management Risk
Credit Risk
• The obvious • The not-so-obvious • Broad implications for
– Deposit operations – Wire transfer – ACH origination
16
Management Risk
Reputation Risk
• Probably the hottest topic today • Not only who you are but who you do
business with • Loss of customer confidence • Impact on earnings • Loss of shareholder values
17
Management Risk
Business/Legal Risks
• Risk of opening the doors – Physical security falls into this category
• Proper policies • Internal controls • Procedures • Documentation • Contracts & Agreements
18
Management Risk
3. Operational Risk
• Transactional – Billions of transactions daily
• Compliance
– The cost of not complying
19
Transactional Risk
• Sheer volume of transactions • Multiple points of entry into legacy
systems • Internal controls • Disaster recovery • Contingency planning
20
Operational Risk
Compliance Risk
• Regulatory compliance – Alphabet soup including Reg CC and Reg E – OFAC – AML/BSA
• Legal compliance – UCC 3 & 4 including Check 21 – UCC 4a - wire transfer
• Network compliance – Pulse/VisaNet/Maestro/Star/Others – ACH Operating Rules
21
Operational Risk
22
What is Enterprise Risk? • Risk of loss across the entire financial institution
resulting from inadequate or failed controls relating to: – Internal processes – People – Systems – External Events
• “Operational risk is embedded in virtually every activity a financial institution engages in, from check processing to trading activities, and the more complex the institution or process, the greater the risk of operational failure.”
• Thomas Curry, Comptroller of the Currency, March 4, 2013
23
Examples • Internal fraud • External fraud • Customer or client interactions • Financial products • Business practices • Damage to physical plant • Business interruption • System failures • Execution and delivery of commitments • Process management • Employment practices • Workplace safety
24
Manifestations
• Failures of: – Manual processes – Automated processes – Interaction of processes with faulty data
• One time events • Cascading of multiple failures over time
25
Key Decision
• How to allocate capital to operational risk
• Challenge: – Operational risk has no naturally occurring
monetary measurement; therefore, – No profit incentive exists to effective motivate
increased efforts to reduce operational risk – Ergo: justifying “up” is very difficult
Cross-Channel Risk
Risk associated with deposit accounts by way of multiple points of access —branch, ATM, call
center, debit card, online banking, check, ACH, wire, etc., or the presence of multiple risk types.
• Legal • Reputational • Operational • Compliance • Fraud • Liquidity
26
Cross-Channel Risk and Account Takeover
27
Regulator Statement… “…Thomas J. Curry, the head of the OCC, stated that although asset quality has improved, charge-off rates have fallen, and capital now stands at its highest level in a decade, another type of risk is gaining increasing prominence; Operational Risk. In fact, the OCC considers it currently to be at the top of the list of safety and soundness issues for the institutions they supervise. Furthermore, because the implications of operational risk extend to all other risks….“Management should distinguish the operational risk component from other risks to enable a stronger focus on operational risk mitigation.“
Source: Compliance Guru, July 2012
28
$17million Embezzlement
• Allegedly Defrauded More Than 100 Investors
• $17million Unaccounted For
• Bank Closed by FDIC
• No Controls to Monitor “Investments”
Source: CNN July 2012
29
What can criminals do if they access your Online Banking credentials?
Answer:
Anything you can do • Drain Funds
• ACH
• Checks
• Wires
• Consumer & Business
Account Takeover
30
Account Takeover
Criminal Victim’s Computer
Harvested Data: • OLB Info • Challenge
Questions
31
Account Takeover Realities
• Stolen credentials, not weakness of Online Banking
• Matter of when a business network is infected, not if
• Even strong security can be bypassed
• Significant losses & damaged reputations
• Attacks will continue to get worse
• Typically learn of network intrusion when accounts are compromised
32 32
Account Takeover Red Flags File or Wire Exceeds Exposure Limits
Unusual log-in activity (failed attempts, etc)
Transactions on unusual days or multiple transactions in short
period of time
Unusual Activity (Wires vs ACH, 2 ACH Files in 1 day, etc)
Report of unauthorized activity
New Admin Credentials created
Report from Users their authority was changed 33
Mitigation How to avoid potential loss
Origination calendars
Reasonable exposure limits
Client education
Static IP or IP address authentication
Layered security
Behavioral analytics and/or transaction analytics
Out of Band Authentication
34
ODFI Actions
Terminate or suspend access
Contact the RDFIs
Request R06 returns
Have Originator submit files other ways
Utilize ACH Operator risk monitoring service
Account takeover doesn’t always mean infected computer
Have an Action Plan / Incident Response Plan
35
• Understand and recognize the nine elements of enterprise risk (strategic, liquidity, cross channel, reputational, fraud, credit, transactional, compliance, operational)
• Understand how these risk elements apply across payment channels
Learning Objectives
36
Discussion
Questions
37
