bobsguide Risk Management Systems Guide 2016 by bobsguide

bobsguide

The leading web resource for financial technology

Risk Management Systems Guide 2016

Welcome to this year’s Risk Management Systems Guide from bobsguide, the leading resource for financial technology. 2016 is set to be a big year for risk management. New technologies are coming out and financial institutions are taking risk seriously as we approach the 10 year anniversary of the financial crisis. Our Guide features a comprehensive matrix that allows buyers to compare the functionalities that products are offering in the market today. Alongside the Risk Management Systems matrix, our range of features delves deep into the role of the risk manager and the battle against money laundering and terrorist financing. We also take a look at the evolution of risk management and what industry experts are predicting for the future. Enjoy reading the 2016 edition of our Risk Management Guide.

Risk Management

Madhvi Mavadiya, bobsguide Editor

Systems Guide 2016 Editor Madhvi Mavadiya madhvi@bobsguide.com

Contents

CEO Anne-Marie Rice annemarie@bobsguide.com Sales Director Stephen McMaugh stephen@bobsguide.com Business Development Manager Stefano Perciballi stefano@bobsguide.com

The Ever-Changing Role of the CRO

T he chief risk officer, responsible for governing significant risks and managing compliance with regulation, is fast becoming a fundamental member of the corporate board. Is the CRO as important as the CEO?

AUTHOR: MADHVI MAVADIYA

10 The Evolution of Risk: End of the Rear-View Mirror AUTHOR: SARAH GILL

T his year is set to be the year of the fintech enablers, rather than disruptors. This will result in the financial technology industry acting as a catalyst for risk platforms to plunge into a pool of innovation and tech expertise. Sarah interrogates what the future holds for risk technology in this arena.

16 Biometrics: The Risk Industry’s Front Door? AUTHOR: BENJAMIN RABINOVICH

015 saw the emergence of biometric security solutions and we are beginning 2 to see this technology implemented in products in the financial industry, but will we see a complete takeover of digital authorisation in the risk industry anytime soon?

20 Compliance and Best Practices to Combat Misconduct AUTHOR: BEN POOLE

s fraud, hacking and terrorism financing continues to occur despite the A introduction of new regulations, it poses the question of whether risk management systems are secure enough to deal with these breaches of conduct. This feature explores whether the risk sector can function when countering financing of terrorism and anti-money laundering sanctions are a priority.

www.bobsguide.com

Sales Manager Edward Drew edward@bobsguide.com Design & Artwork Donna Healy donna@missjonesdesign.com bobsguide is the trusted online global resource for buyers of financial IT technology. More than 55,000+ users visit bobsguide every month to research and purchase systems for banks, dealing rooms, corporate treasuries and other financial environments. Copyright© 2016 My Guides. Copying and redistributing is prohibited without permission of the publisher. This information is provided with the understanding that the publisher is not engaged in rendering legal, accounting or other professional services. If legal or other expert assistance is required, the services of a competent professional person should be sought.

bobsguide One Hammersmith Broadway Hammersmith. W6 9DL UNITED KINGDOM Tel: +44 (0) 208 080 9167 Fax: +44 (0) 207 084 7783 sales@bobsguide.com news@bobsguide.com

Risk Management Systems Guide 2016

ADVERTORIAL

New technology for a transformed risk and regulatory paradigm New regulations are a game changer for risk systems, data and processes. Beyond regulatory compliance, financial institutions need to develop risk-based business models with just-in-time risk management and a focus on efficient capital, assets and liquidity use. •R isk infrastructures need to be reinvented to deliver regulatory compliance and improved controls, while cutting IT and operational costs. •A fragmented approach isn't costefficient or sustainable. Institutions need to invest in a holistic risk framework to gain a complete picture of their exposures. •B uilding a highly adaptable and realtime risk management framework requires the right technology. Murex’s MX.3 Risk and Regulatory suite is a comprehensive framework that enables financial institutions to build an overall strategy for regulatory and internal risk management, leveraging synergies in calculation engines, data and technology. The suite delivers enterprise solutions for market, credit and liquidity risk control, with a special focus on FRTB, CVA Capital Charge, SA-CCR and SIMM margining.

It also includes a comprehensive xVA management capability. Leveraging on a high-performance risk framework, the suite delivers pretrade xVA, SA-CCR and SIMM. The underlying platform combines the latest techlogies, such as GPUs and in-memory aggregation, with Murex’s expertise in trading analytics.

Author and Editor: Marwan Tabet, Head of Murex Enterprise Risk Product Division.

The enterprise solutions cover all asset classes and can be easily adapted to a bank’s infrastructure. Their advanced integration framework enables banks to meet regulatory deadlines, rapidly anticipate business impacts, and respond to future changes. It is Murex’s ambition that the MX.3 risk framework will be a business enabler, providing clients with the capability to optimize risk and balance sheet resources in trading decisions. Click here for more insight our FRTB approach To learn more, please visit www.murex.com or follow us on LinkedIn and Twitter @Murex_Group.

About Murex Since its creation in 1986, Murex has played a key role in proposing effective technology as a catalyst for growth in capital markets, through the design and implementation of integrated trading, risk management, processing and posttrade platforms. Driven by invation, Murex’s MX.3 Front-to-Back-to-Risk platform leverages the firm’s collective experience and expertise, accumulated through its strategic client partnerships, to offer an unrivalled asset class coverage and best-of-breed business solutions at every step of the financial trade lifecycle. Clients worldwide benefit from the MX.3 platform’s modular set of business solutions, specifically designed to solve the multi-faceted challenges of a transforming financial industry, while relying on the strength of 2,000 dedicated specialists.

www.bobsguide.com

Risk Management Systems Guide 2016

The Ever-Changing Role of the CRO Madhvi Mavadiya takes a look at how the role of the chief risk officer has evolved since the financial crisis and the struggles a CRO faces on a day to day basis in order to be recognised as a vital member of the team. With traditional systems being replaced and new competitors emerging, the role of the chief risk officer, or the CRO, is more important than ever. Because the function of the risk officer is paramount to good business management, this has been taken into consideration increasingly over the past few years, after the financial crisis, which truly portrayed how significant this position is. Credit risk and market risk have always been something that risk officers have had to deal with, but technology risk is an unknown, but it can't be avoided.

Risk Management Systems Guide 2016

Because of recent events, financial institutions and regulators have changed the definition, or job description, of a risk officer, but the CRO should still actively manage risk within the organisation as a fundamental to their position at the company. PwC (PricewaterhouseCoopers), highlight that in the past, a risk manager’s role was the “second line of defence activity”, but the CRO has responsibility over management of overall risk and the associated adequacy of capital within the business. “This doesn't mean that other functional leaders can abdicate responsibility for risk management within their function rather, they manage the risks relevant to them in the same way as they have responsibility to manage local finance, human resources, or any other relevant activity. The CRO has executive responsibility to manage overall risk in the same way as the CFO manages overall finance,” the PwC report read. Following on from this, a risk manager should always instil good practice throughout the organisation and mentor other business leaders about the benefits of strong risk management. It must be said that all of this evidence leads to the fact that risk management is at the top of the corporate agenda and it should be. According to Towers Watson, however, because of this recent revaluation of the role, “the role of the CRO is still in its relative infancy and in many cases is still evolving.” Alongside this, the report stated that many boards continue to debate the real focus and purpose of the CRO in the company, so it could be said that there is scepticism around whether or not a risk officer is necessary. “Views amongst CROs are also mixed about their roles; some are finding their roles stimulating and rewarding, whilst others appear to be finding it difficult to see how their role is adding value,” the report read. Towers Watson surveyed a number of CROs from insurance companies across Europe in order to gain some insight into the focus of their role, their opinion and how the role will change in the future, as well as the challenges. “The majority of CROs agreed that having only exceptional analytical skills isn't sufficient. The most successful CROs are able to combine these skills with highly developed commercial, strategic, leadership and communication skills to be able to drive change and make a difference in an organisation,” www.bobsguide.com

“ The CRO has executive responsibility to manage overall risk in the same way as the CFO manages overall finance.” the report read. This is an important message as it could be said that all C-level professionals need to have this mentality, but the question here is of risk officers are valued enough to be respected as “highly developed leaders”. The relationship between the CRO and the CEO could be the right avenue to ensure that risk managers are taken seriously. The report revealed that when the relationship between these two big players within a company was strong, the CRO’s personal satisfaction in the position meant that the business was also a success. “They saw themselves as valued contributors to the company's day-to-day decision making, supporting the business in its strategic development and being fully supported by the Board.” As well as support from the CEO, the CRO shouldn't be driven by regulatory requirements, but the needs of the business. Although, this attitude seems to be unavoidable as the Prudential Regulatory Authority, or the PRA, states in its handbook for senior management control that the chief risk officer should be “accountable to the firm’s governing body for oversight of firm-wide risk management.” The same goes for the rule imposed by the Federal Financial Supervisory Authority (BaFin) and the Minimum Requirements for Risk Management for Banks and Financial Services Institutions (MaFin). There it states that due to the CRD (Capital Requirements Directive) and the EBA (European Banking Authority) guidelines, “the head of the risk control function should perform his or her duties exclusively.” Regulation could become a barrier and prevent CROs from effectively doing their job, so they must retain their independence and maintain structure in their activities. “CROs will only be able to deliver more insight and identify business opportunities if risk management is viewed by senior management as an enabler to improve business performance. But this is a cultural shift that will need to take place in most insurance companies. Business units need to see the CRO as an ally, Copyright © 2016 MyGuides. All Rights Reserved

rather than a ‘pessimistic risk controller’,” the report highlighted. As well as a more technical role, the risk manager should also be a communicator and an influencer. To gain success, the report details that being able to relay vital information will lead to a successful career for the risk officer, and in turn, be able to convey this to the Board and this is where trust comes in also. “The role of the CRO is fluid and evolves over time with the organisation. Once a new CRO has moved through the initial stages of discovering, developing and embedding risk management, the CRO role is about maintaining the risk framework and focusing on supporting the business in creating value from thinking and acting upon risks differently.” In a recent article for the Wall Street Journal, it was also expressed that the role of the chief risk officer has been evolving. John Olert, chief risk officer of Fitch Group believes that independence is key, because of the nature of the role. “As a CRO, you get a lot of independence... which is helpful because you go to more of a best-practices role, it’s a different approach to what risks are. Depending on your relative viewpoint from an issue, you may see it differently...and clarity of vision becomes very powerful from a distance.” Because of the state of the markets at the moment, many non-financial companies have been employing chief risk officers in order to manage risks and keep threats at bay and this is David Cookson, a recruitment consultant at Russell Reylds Associates’ view. “Putting aside where they sit on an organisation’s structure, they are looking for a strategic leader and one with a voice that will be heard across the organisation.” The WSJ also quoted PwC principal in the banking and capital markets practice, Dietmar Serbee: “to add value and be perceived as such in a leadership team, the CRO can never be just a nay-sayer, someone who takes the punch bowl away, but someone who knows how to achieve its strategy while mitigating risks.” ■

Risk Management Systems Guide 2016

The Evolution of Risk: End of the Rear-View Mirror

A tendency to look back and base risk management of past experience has been one of its major weaknesses. A forward-looking and predictive approach is paving the way for a more robust assessment of risk, says Sarah Gill. Risk management, or the expectation of what it should deliver, is changing dramatically. A combination of growing pressure from regulators, the long shadows of the 2008 global financial crisis and more recent market volatility mean investors today are asking more questions about the exposure of their different positions to risk. Tech has some of the answers. Advances in fields like big data management and storage plus the falling cost of computing mean the raw tools to provide this information exist. But getting good quality data in the first place is just one of the challenges facing legacy players as they try to answer those growing demands.

from market events and the process of how firms manage risk,” says Egeth.

Finance moves in cycles and so too do approaches to risk. With many warning we’re now closer to the next massive market correction than the last, here we take a timely look at the key ways in which risk is evolving. We examine the opportunities and challenges around implementing new technology, what risk management platforms can learn from what’s happening in fintech plus what’s ahead in 2016.

SHIFT AWAY FROM BACKWARDLOOKING APPROACH One of the most exciting developments in the space is going to be technology's potential to help drive risk management from looking backwards, to a forwardlooking and predictive approach. There isn’t just regulatory pressure on banks here, but financial pressure as traditional financial institutions struggle to slice costly inefficiencies out of their businesses. Traditional end of day reporting simply isn’t sufficient any longer.

“Based on cycles over last 10 years there are inflection points that raise the importance of and discussion around risk,” says Bennett Egeth, President of Broadridge Investment Management Solutions. It could be market disruption, extreme volatility or a trading desk with abnormal results that a bank can't explain. Others are regulatory-driven, such as the Risk Data Aggregation (RDA) 239 rules implemented over last two years as part of the Basel III capital adequacy regime. “Those put a lot of demands on risk and investors are worse going in and asking questions about their portfolios, how they are protected

“The profitability squeeze banks have experienced necessitates a fresh understanding of risk,” says Misys Head of Capital Markets Product Strategy, Sadiq Javeri. He points to a shift in mentality in the capital markets for example, where it’s increasingly important to understand more about the risk of trade before a trade is put on. “Pre-crisis there were amazing situations where you would trade based on an instinctive approximation of the portfolio impact and then you’d be told the actual risk metrics in the morning. Then you would adjust. There isn't enough slack in the market for such practise today.”

Since the practise of end of day reporting first began the markets have transformed almost beyond recognition and Broadridge’s Bennett Egeth says it is “ longer adequate” in the volatile environment that we’re seeing and the complex interrelationship between the markets. “It’s harder for someone running a trading desk to understand how their positions will be impacted if the market moves a certain way. “Every time there is an issue like the stress on the Chinese market in January – people are struggling to understand why something that was initially a problem in China with Chinese companies affected so much business globally.” He says the base level of knowledge and tools people need to have is only growing and a higher bar is being created every day. Whoever can both understand an outcome and explain it to their client, wins. “If I call one broker and he gives me a crisp answer and I call another and he fumbles, where is my next dollar going?” Put simply, investors need more granular, flexible data, on-demand. Again, it comes down to the quality of data and ability to aggregate and crunch it efficiently. That’s easier said than done, of course and the markets are only getting more complicated. www.bobsguide.com

Risk Management Systems Guide 2016

“The evolving nature of risk management touches on technology in two primary ways: first, firms seek a greater internal grasp of positions and exposures as strategies become more complex, traditionally voice-traded markets like credit increasingly go electronic and electronic markets grow faster overall,” says Axiom SL MD Don Mumma. “Second, burgeoning post-crisis requirements from national and global regulatory regimes that demand a more integrated, holistic and reportable snapshot of risk, made available in real- or near real-time.”

wide initiatives. Banks are fighting battles on so many fronts, it's just regulation, but the hope that things will go back to how they were has definitely subsided. The resulting focus on whole-scale IT transformation as a key enabler has only just started to materialise.”

“The CFO and CRO's role have expanded significantly to aggregate measures including capital consumption, liquidity positions and regulatory compliance. These requirements include reporting to new levels of dimension, granularity and frequency.”

“As fintechs take a fresh and unbiased look at the financial industry, risk platforms need an analogous look at risk management,” says FIS’ Sven Ludwi. “Financial institutions have to realise that they are IT companies with a banking license. Fintechs are acting on this basis and risk platforms need to do the same on decomposition and through a utility approach.”

NECESSITY IS THE MOTHER OF CREATIVITY With regulations cementing a need for holistic risk platforms, FIS Head of Risk Management and Analytics, EMEA, Sven Ludwig says the need for better risk management to create competitive advantages is already driving innovation. “We see the main challenges for risk platforms are: firstly to identify, develop and adapt new technologies allowing better risk management,” says Ludwig. “Secondly to stay on top of current risk and compliance methodologies and thirdly to package the increasing risk complexity into simplicity. It is crucial that there is mandatory continuous innovation and significant investments to keep risk platforms holistic.” A big issue here is internal fragmentation. Until recently risk management has been a heavily soiled operation where a firm might use different systems to report on different asset classes or desks within the same business. In order to provide a ‘snapshot’ of risk across all of them, it needs to aggregate and then make sense of data in all different shapes and flavours. “The tech to overcome this exists, but the challenge is implementation,” says Misys’ Sadiq Javeri. “Transforming an organisation to be able to use new infrastructure is challenging. There are multiple soiled and often matrixed stakeholders in the existing ‘spaghetti style’ infrastructure so it’s difficult to get the buy-in to embark on new enterprise www.bobsguide.com

LEARNINGS FROM FINTECH AND OPPORTUNITY FOR INNOVATION So what can the risk management sector learn from the financial technology industry when it comes to letting down its barriers to innovation and strengthening platforms with new technology?

So where are the opportunities for emerging technology to enhance risk management? As mentioned, big data and in-memory are two key areas that are paving the way for management to move from reporting to identification to prediction. For some, another path could lie in blockchain, which many of the world’s biggest banks and financial institutions are currently piling into. “Recent innovations in the finance space have predominantly focused on reducing risk through easier, more efficient technology,” says AutoRek’s Marc McCarthy. “The emergence of blockchain and crypto currencies are designed to remove the multiple layers of intermediary actors in any transactional process. Blockchain, at its core, relies on the concept of shared ledgers. That is, every member of a Blockchain has access to and full visibility of each other’s transactional ledgers. By providing full exposure to everyone in the chain, there will be significant decrease to credit, market and operational risk.” DEMOCRATISATION OF RISK Another advantage that new technology brings to the risk management space is that companies that previously couldn’t afford to invest in risk now have tools to do so. Advances in capturing and, crucially, making sense of big data is playing an important role in this, as is the fact that data is becoming more widely available. Lead generation and Copyright © 2016 MyGuides. All Rights Reserved

risk management specialist DueDil is a company helping its clients leverage this information to their advantage. Damian Kimmelman, CEO at the firm says: “Even small companies can now take important steps to limit the amount of risk they face – reducing the costs of working with other firms. “For most companies, risk management wasn’t fair until recently,” says Kimmelman. “Access to business information sources was prohibitively expensive, locking out all but the largest corporates and institutions. In other words, the playing field was rigged: key data that would have reduced risk for companies and made doing business safer was available to only the biggest players.” Adam French, co-founder and MD at Scalable Capital echoes this view, pointing to the impact of mobile on giving retail investors access to services which previously were reserved for the very wealthy, bringing down the cost and improving the overall level of transparency in the investment management industry. He says that within the risk management space there is still a huge opportunity for improvement in the way client money is managed. Another example is cloud computing, which has now enabled us to run millions of simulations in a costeffective way so that portfolios can be optimised on an individual investor basis without the flawed assumptions we used to rely on. “Ten years ago this would not have been possible but with the cost of computation coming down we no longer need to rely on bank mainframes to provide such models.” “Investors are now motivated to question their assumptions about risk and return with greater scrutiny than they had previously,” says French. “Data has always been an integral part of finance but we are now able to analyse this data much more efficiently to better understand risk and form conclusions which sometimes contradict the status quo.” “The financial crisis taught many private and institutional investors in the capital markets a few lessons: Do they know how much risk they have in their portfolios? Do they fully understand the risk in their portfolios? Ultimately we know that risk is the currency to buy long-term investment return. The question is how much of this risk is currently on the table?” ■

Risk Management Systems Guide 2016

Asset & Liability Management

Behavior Detection/ Predictive Analytics

Collateral Management

RMS Functionality Matrix

■

●

Company Name

System Name

3V Finance

TITAN™

Acuity Risk Management

STREAM

Adaptive Reasoning Ltd

Terms Checker

■

Adaptive Reasoning Ltd

NAV Monitor

■

Adaptive Reasoning Ltd

Document Store

Algorithmica Research AB

ARMS

Avention

OneSource

Axioma Inc.

Axioma Risk

Axioma Inc.

Axioma Portfolio Analytics

BCS Consulting

BCS controlcentre

BearingPoint

Abacus Solution Suite

■

Brady

Brady ETRM

●

Calypso Technology

Calypso Risk

●

Chatham Financial

ChathamDirect

Cinber Financial Technology

TRADExpress Client Clearing

CORRTEC

CorrRisk

■

Data Boiler Techlogies, LLC

VR Machine

■

●

Derivation Software

EGAR Technology

EGAR Risk & Limits Manager

EQ Finance

EQF

■

Ideagen Plc

Ideagen

●

Imagine Software

Imagine Risk Management Platform

●

■

●

Incom Pty Ltd

Enterprise Risk Manager

INFORM GmbH

RiskShield

JC Applications Development Ltd

JCAD CORE RISK

KlarityRisk

Paragon

KYCnet

Passport

Lacima

Lacima Analytics

Loxon Solutions

Loxon Risk Management Suite

■

●

Maclear

Maclear eGRC Suite

■

MBRM - MB Risk Management

MBRM UNIVERSAL Add-ins

■

MetricStream Inc.

Risk Management Systems

■

●

Misys

Misys FusionRisk

●

■

●

MORS Software

MORS Treasury, Risk, Liquidity Management and ALM

●

■

Murex

MX.3

■

NeoXam

NeoXam Portfolio Management & Compliance

Northstar Risk Corp.

Solutions for Risk, Performance, and Investor Reporting.

■ ●

■ ■

●

■

● ● ■ ● ●

●

■

●

■

● ●

■

Open Source Investor Services BV (OSIS) LoanPilot

●

■

●

OpenLink

●

■

●

Findur

www.bobsguide.com

Risk Management Systems Guide 2016

GRC/ERM

Liquidity Risk

Margin Software

Market Risk

Operational Risk

Risk Analytics

Risk Databases

Risk Management

Structured Finance Solutions

■ Some

Credit Risk

l Yes

Compliance

KEY

■

●

■

●

■

●

■ ■ ● ■

●

● ■

●

■

●

■

●

● ●

●

● ●

●

■

●

■

●

■

●

■

●

■

●

■

●

■

●

■

●

■

●

■

●

■

●

■ ●

●

■

●

■

●

■

●

■

●

● ■

●

■

●

■ ■

●

■

●

● ●

●

● ●

■

■ ●

●

■

●

■

●

■

●

■

●

■

●

■

●

■

●

■

●

■

●

■

●

■

●

■

●

■

●

■

●

■

●

■

●

■

●

■

●

■

●

■

●

■

●

■

●

■

●

www.bobsguide.com

●

Risk Management Systems Guide 2016

Company Name

System Name

Path Solutions

iMAL Enterprise Islamic Core Banking System

●

Percentile

RiskMine Platform

■

Pinpoint Intelligence

Complete Pay

Prometeia

ERMAS Suite

Protiviti

Protiviti Governance Portal

Quaternion Risk Management Ltd.

RFA

Risk I.T. Ltd

Hydra

RiskSystem RiskVal Financial Solutions

Collateral Management

Behavior Detection/ Predictive Analytics

Asset & Liability Management

RMS Functionality Matrix

■ ■ ●

●

■

RiskSystem

●

RVALM (RiskVal Asset Liability Management)

●

RiskVal Financial Solutions

RVPortfolio

●

RPC Consulting

Tyche+

●

Savvysoft

STARS

●

Softek Computer Services

Softek Capital Adequacy Services

StatPro

StatPro Revolution

■

SYSTEMIC

RiskValue

■

The Institute for Financial Markets

Position Limits Databank

UBS

UBS Delta

●

■

Visual Risk

●

zeb

zeb.control.risk

●

■ ■

■

●

■ ■

www.bobsguide.com

Risk Management Systems Guide 2016

●

● ■

●

■

●

● ●

●

● ●

●

● ●

●

● ●

Structured Finance Solutions

●

Risk Management

■

Risk Databases

●

Risk Analytics

■

●

Operational Risk

●

Market Risk

■

Margin Software

●

Liquidity Risk

●

■ Some

GRC/ERM

Credit Risk

l Yes

Compliance

KEY

●

■

●

■

●

■

●

■

●

● ●

●

■

●

■

●

■

●

www.bobsguide.com

● ●

●

■

Risk Management Systems Guide 2016

Biometrics:

The Risk Industry’s Front Door? Benjamin Rabinovich explores the rise of biometric technology and its relationship with risk. He asks whether biometric technology is the panacea everyone has been waiting for, or is it a single solution to a single problem in a larger ecosystem? Last October, a cyber-attack on TalkTalk had 157,000 customers’ information compromised. The attack was less significant than originally thought and only around 21,000 customers had their bank account details accessed. But for TalkTalk - and any other company or organisation whose reputation is only as strong as its security systems – that’s 21,000 people too many as the company suffered losses of up to £60 million and 101,000 customers. Before TalkTalk, Barclays had its moment in the negative light and now, in 2016, HSBC came under attack at the end of January, leaving customers being unable to access online banking services for hours. The situation was exacerbated by the fact that the attack happened on the last working day before people had to file their online tax returns. It was also the second attack the bank experienced in five months. HSBC was just the most recent reminder of the axiomatic truth: although it may cost a lot to have vibrant security systems in place, it costs a lot more to not have them. PASSWORDS ARE NO LONGER THE WAY FORWARD So how did these companies and financial institutions react to these hacks? What did they advise to the irate and afraid customers? They said that customers should update their passwords. TalkTalk told its customers to change their passwords as soon as systems were back online, advice very much in line with the general advice of security experts: change passwords frequently; don’t use the same password twice; make passwords complex and so on and so on. There is only one problem: people dislike having passwords. Nobody wants to remember a password, let alone a myriad of highly complex ones. This annoyance 16

has been aggravated by the rise of certain risk innovations, particularly biometrics. Challenger banks such as the mobileonly Atom, voted 8th most innovative fintech company on KPMG’s Fintech 100 List, will have facial and voice biometric authorisation and its Chief Innovation Officer at Atom, Edward Twiddy highlights that customer experience was at the heart of the decision:

password is 123456, so they are not secure, and people also use the same passwords for multiple sites. If one site gets hacked all the places that you use the same password get compromised they are a big pain. In the modern world everyone has a mobile phone and there is internet connectivity everywhere. So, we should be able to use biometrics to authenticate ourselves."

“Using a combination of facial recognition, passcode and voice recognition, a customer will be able to do everything they need to do within the app. We know customers of other banks get frustrated today with not being able to do everything they want to do online or in-app and with Atom, this frustration won’t exist.”

Whilst it may seem to be everywhere, it took Apple’s level of market penetration to get the mainstream interested in the technology with its ground-breaking Touch ID technology.

Large financial institutions have been very slow to respond to what the customer wants, but as Philippe Regniers, Marketing Manager at Gemalto, points out, the rapid proliferation of fintech startups is forcing them to change: “Customer experience is at the heart of many fintech startups, but this is something that FIs have not always focused on. Risk Management helps FIs improve their customers experience by authenticating only when needed or according to preferences or profiles.” Now the largest of players are making active efforts to explore the risk management benefits of biometric technology. At this year’s Mobile World Congress, MasterCard announced plans allow people to use selfies and fingerprints as methods of verifying online payments. The company trialled the system last year in the US and Holland told BBC that a whopping 92% preferred it to passwords. As Ajay Bhalla, MasterCard Chief of Safety and Security Division said: "We know the most commonly used Copyright © 2016 MyGuides. All Rights Reserved

Very quickly, many financial applications evolved to integrate it as a method of authentication, the latest of which has been the aforementioned HSBC. The high street bank revealed in February it would introduce fingerprint and voice authentication in the UK later this year in an attempt to provide stronger security to their online banking services. The likes of Barclays, RBS and NatWest have all already implemented biometrics into their systems. The significant increase in interest from financial institutions will have a profound effect on how the future of the risk industry will look. A 2015 report from Goode Consultancy said that by 2020, more than $5.6 trillion of payments will be secured by biometric technology. We have already seen the first working biometric ATMs being rolled out in China and it’s only a matter of time before similar innovations make their way across to the West. IS IT REALLY THE PANACEA WE’VE ALL BEEN WAITING FOR? However, could it really be as simple as that? Looking at the large high street banks scrambling to allow people to use their fingerprints and faces as methods www.bobsguide.com

Risk Management Systems Guide 2016

of verification one would be forgiven for assuming that biometrics is the panacea the risk industry has been waiting for. Many are not convinced. Some have gone as far as to dismiss certain biometric features as nothing more than ‘gimmicks’. Payment expert Jens Bader, CCO at UK payments company, Secure Trading, described the MasterCard MWC announcement as ‘disappointing’: “I’ve been slightly disappointed with the payment related stories coming out of MWC. Hollow announcements from MasterCard and Samsung have been portrayed as innovative but are far from it, and only pay lip service to the mobile payments industry, which is thriving like no other and here to stay.” He said the ‘selfie payments’ feature “reeks of a PR stunt”, adding that it is of minimal or no benefit to anyone. “It is little really more than a technical trail or gimmick. It’s been done to prove it can be done technically, but not because it solves a real world problem. It will be difficult to govern from a liability standpoint too. The percentage of cases where this could go wrong will be immense.” The likes of Russell King, CEO of Paycasso, believes that biometrics by themselves are not the answer to our woes, but rather work best with other vibrant verification processes. This sentiment is echoed by Regniers who says, “working alongside or in conjunction with passwords or PIN codes, biometric solutions can be used to authenticate users when the risk system recommends such authentication.” PROTECT THE SYSTEM, PROTECT THE WORLD However, even then, as Vishal Bhatnagar, SVP & Country Manager at CAST, points out, biometrics predominantly focus on authorisation, and “authorisation is just one issue”. “It is important, but the deeper issue is the security of the applications themselves. Most internal ADM quality assurance teams, architecture teams and security teams don’t tend to work well together and security checks are very basic. He stressed that it is important to consider integration between different systems: “To really secure core applications that handle sensitive data, organisations need to design and build security into these applications. That’s still not happening, www.bobsguide.com

which is a major problem as a lot of these core legacy applications are being linked to new these new, custom fintech applications, leading to greater potential for system-level security holes.” This ties into the wider topic of segmentation to prevent system-wide attacks. In an interview last year, Wim Abraham, Director of Services at VASCO Data Security, said that the priority in the risk industry should be to ensure that a “systematic attack is not possible”, whilst pointing out that there will always be cases of “individual fraud”. This is the crucial point. One also made by Paul German, Certes Networks, VP EMEA. He recently underlined: “Breaches are occurring all the time – and organisations need to accept that it is more than likely a breach has either already taken place or is currently underway within their environment and that this can and will happen without any notification. With that understanding comes a recognition that the objective is now to contain any breach whether known or unknown and minimise any risk of it becoming system wide.” Copyright © 2016 MyGuides. All Rights Reserved

German stresses that this segmentation of risk must happen in the very near future as in a “cloud and mobile enabled environment where networks are often outside an organisation’s control, it is simply not possible to deploy a robust end to end strategy”. This is because the rise of innovations such as mobile, biometrics (especially on mobile) and the cloud have forced companies to change their operations and cater to what the consumers want – and you can’t change your operations without also changing risk management to reflect them. German’s argument very neatly works with these new systems because they can all be deployed to literally minimise risk. He says that rather than building walls just to keep people out of the whole system, the focus should be on creating security structures that contain the breach by having many “fire doors between different parts of the infrastructure”. In this context, measures such as biometrics can act as the first key to the first door of many in a vibrant security system. ■

ADVERTORIAL

Risk Management Systems Guide 2016

Managing IT Risks By George Ralph, Managing Director, RFA Essential outsourcing or using a vendor to manage any component of the technology stack or your business is known as risk ‘transference’. The principle reason for managing risk in an organisation is to protect the mission and assets of the organisation. Therefore, risk management must be a management function rather than a technical function. Risk management and current risk plus mitigation activities must be presented to the board regularly, as this promotes informed decisions at management level rather than reactive technical decisions. Ideally, there should be a quantitative framework in place with the ability to present the top 5 risks on a monthly basis with clear mitigating actions. There are four key methods to manage risk. • Transference: Transference is the process of allowing another party to accept the risk on your behalf. • Acceptance: Acceptance is the practice of simply allowing the system to operate with a known risk. Many low risks are simply accepted. • Avoidance: Avoidance is the practice of removing the vulnerable aspect of the system or even the system itself. This is a key business decision for management and comes down to understanding each risk, its likelihood and the impact it will have – hopefully arriving at a decision of Risk Probability vs Risk Impact. The key options in our experience are either a quantitative approach or a qualitative approach. • Mitigation: Mitigation involves fixing the flaw or providing some type of compensatory control to reduce the likelihood or impact associated with the flaw. The key options to managing risk in our experience are either a quantitative approach or a qualitative approach. •Q uantitative Risk Assessment: Mathematically, quantitative risk can be expressed as Annualised Loss Expectancy (ALE). ALE is the expected monetary loss that can be expected for an asset due to a risk being realised over a one-year period. ALE = SLE * ARO; where: SLE (Single Loss Expectancy) is the value of a single loss of the asset. This may or may not be the entire asset. This is the impact of the loss. ARO (Annualised Rate of Occurrence) is how often the loss occurs. This is the likelihood. Risk can also be managed in a qualitative fashion, perhaps by a team covering each knowledge area. •Q ualitative Risk Assessment: Qualitative risk assessments assume that there is already a great degree of uncertainty in the likelihood and impact values and defining them, and thus risk, in somewhat subjective or qualitative terms. The results of qualitative risk assessments are inherently more difficult to concisely communicate to management. Qualitative risk assessments typically give risk results of “High”, “Moderate” and “Low”. 18

DEFINING RISK IN THE BUSINESS This is the key driver for every business. “The aim when working with those at board level is to ensure that they are informed about the risks to their business at all times.” In doing this we have a clear ‘risk management’ process updated by all involved. The key however is defining the likelihood, impact and effect as this varies hugely depending on the business strategy, size and core systems. At RFA we always run a quantitative risk management process to ensure that all key parties and decision makers are given the ability to make overall ‘informed’ decisions. CHOOSING A TECHNOLOGY PARTNER Selecting a trusted technology partner is one of the best ways to minimise IT risk. But there are many technology partners out there, competing for business from the Capital’s hedge fund community. So how do you, as a prospective client, choose the right partner for your firm? This check list which should help you decides between technology suppliers. • Step One: Choose a specialist partner who offers a range of services that can meet your needs, and will integrate with your other suppliers, because there are no onesize-fits all suppliers who will understand your business as well as the specialists. The dominant technology partners often have a huge range of services and solutions, but they have a little knowledge about a lot of industries, and won’t necessarily understand the specific challenges faced by hedge funds. A specialist partner may not be able to offer as wide a range of solutions, but they will work closely with your other suppliers to ensure a seamless delivery of services. They will also be able to offer some advice at a business level and recommend others within the sector (i.e. compliance, legal or fund admin). • Step Two: Ensure the T&Cs are flexible enough to meet the specific demands of your business now and into the future. Most firms can’t take the risk of being tied into restrictive contracts, so choose a partner who offers flexible terms that can be adapted to meet your needs. If your firm needs unusual support desk cover, then ensure this can be accommodated. A true partner will always

work with you at this stage of the relationship to ensure a fair written agreement is implemented that works for both parties. • Step Three: Look at their proven track record. Risk management is a key driver for every hedge fund and unproven technology partners are a risk that is hard to quantify. In order to mitigate the risks associated with a new technology partner, it is advisable to dig deeper into their history to ensure that they are viable, with a solid customer base and experienced team to underpin the services they are providing. • Step Four: Check out their qualifications and accreditations. It is important that your technology partner of choice has the right accreditations and that they invest in keeping these current. Not only does this prove that the engineers have learnt about the technology they are using, it also demonstrates the company’s commitment and investment, both time and money, in their vendor partnerships. When new technology is released, your technology partner needs to be ahead of the curve. • Step Five: Ensure they are meeting and exceeding security and compliance regulations. Security and the ability to meet compliance requirements is fundamental to the alternative investment sector. Your technology partner must be able to demonstrate that your data will be stored in accordance with the security requirements that the industry demands. Data centres should be physically secure, adhering to ISO27001 and SSAE16/Type II standards, and with options to encrypt, or use multifactor authentication should that be required. Intrusion detection and continuous monitoring will ensure uninterrupted service and enhanced cybersecurity protection. • Step Six: Seek satisfied customer references from firms in your sector. Never sign a contract without talking to at least one or two satisfied customers. There is no greater endorsement than a peer endorsement. Fellow hedge funds will tell you the truth about the tech partner, whether they are easy to work with, knowledgeable and helpful. These are all things you can’t find out from marketing literature. www.bobsguide.com

WWW.RFA.COM

T +44 207 093 5010

E gralph@rfa.com

THE TECHNOLOGY PARTNER TO THE FINANCE SECTOR RFA has been the trusted partner to hedge funds for over 25 years. Focused on excellent service with a commitment to provide industry-leading technology solutions designed to meet the specific requirements of the sector. Long term, trusted advisors to over 530 clients across the globe.

Our services include: ■ Cloud and Data Centre Services ■ Fully Managed IT ■ Global Support Services ■ Cybersecurity and Compliance ■ Project Management and Delivery ■ Mobile and Unified Communications

TRUSTED TECHNOLOGY PARTNER

Risk Management Systems Guide 2016

Compliance and Best Practices to Combat Misconduct Facing a wide variety of regulatory and best practice pressures, risk systems vendors have to constantly innovate to help the risk sector function. Ben Poole investigates. The burden of regulation that the risk sector faces with regards to financial crime can differ markedly depending on which area of crime you are talking about. Regulations exist on the anti-money laundering (AML) side and concerning the funding of improper individuals or entities. In the US, the Office of Foreign Assets Control (OFAC) issues regulations in this area, while global watch lists such as those from the UN and EU are considered the standard in this space. OFAC is a compliance issue within the US, and the other watch lists are areas that banks need to comply with, so there is a mandatory onus on financial institutions to ensure that they are compliant and not sending payments to organisations on these global watch lists. The regulation itself is very bank specific. From a risk management systems standpoint, it is certainly a best practice to provide watch list filtering and compliance checks that are the same kind of thing that the banks are operating. However, this is not mandatory and therefore the regulation does not necessarily trickle down to risk management system vendor. Despite this, it is acknowledged as a best practice to provide that same capability, on the payments side particularly, to a treasurer that is looking for that pre-notification that there is potentially a compliance or watch list sanction issue. Looking at the issues from a merchant payments perspective, the key government initiatives are around preventing fraudsters from using the payment system to generate revenue or launder funds. The push grew out of concerns about fraud more than terrorism, but preventing terror financing is an important piece. “Operation Chokepoint” which peaked about 18 months ago, was the original initiative by the US Federal Trade Commission (FTC) to prevent what 20

they called “high risk” merchants from processing card payments. "While they have backed away from that specific initiative, Chokepoint put processors on notice that they now had front line responsibility to protect the payment system," says Daniel M. Polar, Manager of Anti-Money Laundering Compliance Consulting at LexisNexis Risk Solutions. "In practical terms, this has meant additional scrutiny of merchants applying for processing accounts, including stronger due diligence on the individuals associated with the businesses. That means it is more important than ever to know who the people are behind a business, so that they can be screened against a range of watch lists." CYBER GUIDELINES, NOT REGULATIONS When it comes to cyber crime, specific regulation is lacking. There are lots of Copyright © 2016 MyGuides. All Rights Reserved

guidelines and memorandums from bodies such as the UN and the G8, but they are not regulations. Outside of hacking and stealing data, which is obviously illegal in most countries, there are not a lot of global standards to dissuade global cyber crime. Instead of complying with a specific regulation, tackling cyber crime becomes a matter of best practice. "Companies have a lot at stake if they have a fraud or cyber crime issue," says Bob Stark, VP Strategy at Kyriba. "For most organisations, particularly those that are publically traded, that information can be quite damaging to their reputation and have an effect on their stock price, compounding the actual financial loss and any potential fines. These are big consequences that are definitely in an organisation's best interests to avoid." In the realm of merchant payments,

www.bobsguide.com

GT NE WS , PART O F THE BOB SGU I D E GR OU P, I S T H E L EA D I N G GL OB A L KNO WLE DG E RE S O URCE F OR OVER 65, 000 T R EA SU RY, F I N A N C E, PAY ME NTS AND CASH M A N A GEM EN T PR OF ESSI ON A L S. G TNE WS IS UP DATE D DA I LY A N D PR OVI D ES SU B SC R I B ER S W I T H ACCE S S TO AN ARCHIV E OF OVER 9, 000+ T R EA SU RY A R T I C L ES, S P E CIAL RE P O RTS , CO M M EN TA R I ES, R ESEA R C H , POL L S, N EW S, WE BINARS , AND WHITEPA PER S – A L L W I T H A GL OB A L F OC U S.

W W W. G T N E W S . C O M

Risk Management Systems Guide 2016

additional outside pressures also exist. "Also of note, the payment networks are pushing merchants to strengthen security measures in their systems," says LexisNexis' Polar. "EMV is the most visible result. But there is also a push for stronger PCI standards, which require merchants to conduct regular security audits. And merchants are encouraged to adopt stronger encryption at point of sale, and to use tokenisation - replacing account numbers with alternative codes that cannot be used outside of the transaction to reduce the value of compromised data." INNOVATIVE STEPS TO SUPPORT RISK MANAGEMENT With pressures of regulation and best practices, vendors have to keep up and indeed go beyond what their clients are requesting. Corporates are demanding similar tools in a treasury and risk management system that they get from their banks, such as the watch list filtering with pre-notifications. "It is important to make sure that treasurers and CFOs have pre-notification of potential issues before the bank tells them that there is a problem," says Kyriba's Stark. "A prenotification doesn't necessarily mean that they absolutely have something in the wrong, it is just that there is a potential issue that needs to be investigated. The bank will have significant due diligence that they need to provide. If a corporation that is remitting payments, as an example, can get a preview of what is to come then they can certainly start preparing that documentation in advance." With cyber crime, treasury and risk management systems can really focus on three areas: • Log in and authentification procedures • Data security • Information workflows Log in and authentification procedures This tries to eliminate the possibility that hackers can gain control of the system by simply buying in a password or hacking a password. It is the same as your email, you don't want that to be hacked just because someone was able to guess your user ID and password. As a result, multi-factor authentification is essential. This may use hard tokens or soft tokens - perhaps the user's smartphone is the recipient of that second factor of authentification. This is a best practice in today's complex systems. "Security threats are driving trends for encrypting data at rest as well as data in 22

“ There is an opportunity for organisations and regulatory bodies to provide guidance or nationalised regulation in the area of non-bank channels such as blockchain.” transit, more robust payment approval controls such as multi-factor authentication, and more controls over payments during the payments lifecycle," says Phil Pettinato, Chief Technology Officer at Reval. "Checking outgoing payments against sanction lists - black lists and white lists which is required by different regulators around the world, adds a level of complexity to payments systems."

deviation from a typical audit trail, or flags to notify when the person approved to do a payment has changed some details of that payment at the same time. This could be as prevention, as a warning or as a notification. There is a lot that can be done in this area, and it really gets back to the fact that there is no standard around how internal processes are done and systems are used to manage data."

Data security With data security, the main thing IT is trying to do is ensure that systems are protected from brute force attack and other outside hacking. This is where data encryption comes in. It is important to remember that there is no regulation dictating that it is done in one specific way, so it comes down to best practices.

Making sure that this data is managed, making sure that the information is secured, that things like funds transfers are secure and standardised so that they cannot be compromised along the way.

"The nice thing that treasurers and CFOs have is that they have the opportunity to align with their own CIO and their own information security policies for the organisation," says Kyriba's Stark. "There are standards that each organisation has around this. They may have a cloudspecific policy as well, but the idea is that the organisation sets these standards and then the providers on the technology side have to meet those standards." Information workflows Payments provide a great example of information workflows that keeps CFOs up at night. Information workflows relates to how systems are used, and are the right controls in place to mitigate internal fraud and external business email compromise (BEC) schemes, for example. This is more a hacking of the process rather than a hacking of the system.

"The CIO and the information security team don't tend to look at the issues around the workflow controls as much as they do for log in procedures and data security," says Kyriba's Stark. "That then becomes an opportunity to go beyond what a treasurer may be asking for, by allowing them to become more sophisticated in what they are able to do, in order to prevent these types of BEC schemes and other types of phishing." LOOKING TO THE FUTURE The next compliance challenge that is starting to arise is around virtual currencies and non-bank channels for the delivery of funds. At some point, regulators are going to have to make decisions on how to manage that.

"Information workflows are another area where vendors can look to provide more than what is being asked for," says Kyriba's Stark. "Corporates might only ask that, for every payment that is over a certain amount, two people have to approve it. Vendors can come to the table and offer suggestions to support this area, such as automatic reporting that notifies of any

"There is an opportunity for organisations and regulatory bodies to provide - either at a country level or at a global level - guidance or nationalised regulation in the area of non-bank channels such as blockchain," says Kyriba's Stark. "The participants in the financial community will probably welcome some regulation to ensure that the nonbank channels are able to comply with the same standards that banks and their delivery channels of funds have to comply with. This is really around anti-money laundering and financial crime, ensuring that any opportunities that may exist for these activities in non-bank channels are shut down." ■

www.bobsguide.com

GET MORE OUT OF YOUR DOCUMENTS.

If you want to enhance the way you manage the operational, liquidity, regulatory, legal and counterparty risks impacted or even created by your documentation, we can help. Adaptive Reasoning is no ordinary provider of documentation risk solutions. What sets us apart: ! ! !

We have genuinely deep domain expertise in financial services We care about the long term: flexibility, performance and scalability Our commitment to user experience is at the heart of everything we do

Our range of products and supporting services can help you: ! !

! !

Quickly find and analyse relevant documents whenever needed Keep on top of important triggers in areas including: • net asset value (NAV) • ratings and credit risk • collateral and notification Easily produce reports for regulatory compliance and other purposes Verify the terms of trade confirmations that remain outside the scope of STP in a systematic way to avoid potentially very costly mistakes

Our proprietary technology makes all that possible, leveraging adaptive fuzzy heuristics to tag text and machine learning to extract and maintain data.

www.adaptivereasoning.com

info@adaptivereasoning.com

Developed by experts like us,

for experts like you. ChathamDirect for treasury risk management. ChathamDirect is engineered by experienced financial practitioners at Chatham. Its intuitive and automated workflow mirrors, validates, and streamlines every aspect of your jobâ&#x20AC;&#x201D;from capturing exposures and recommending hedges to running hedge accounting and reporting. Itâ&#x20AC;&#x2122;s financial risk management at its best, backed by the renowned expertise and service of Chatham Financial.