Jeff Simmons makes the case for forward planning your third party exit strategies
Seize the Day: Ionela Emmett argues that financial institutions need to look beyond the challenges of Companies House reform
Lessons Learned: Emma Hagan looks back at the collapse of SVB Bank and asks whether we’ve learned from the crisis
The Dawn of DORA: With the implementation deadline just a month away, Gerard Doyle looks ahead to Europe’s new regulatory reality
www.cefpro.com/magazine
The views and opinions expressed in this publication are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.
05
FOREWORD
Farewell to 2024: The Year that Shaped Our Future History
CeFPro Managing Director Andreas Simou heralds the end of a year of seismic political change
06
2024: THE YEAR THE WORLD CHANGED THE RULEBOOK ON RISK
A double election year will have significant consequences for risk management Merlin Lineham, Risk Manager, European Bank for Reconstruction and Development
08
NAVIGATING THE FUTURE OF RISK MANAGEMENT IN FINANCE – AN EDITORIAL PERSPECTIVE
Guest editor Chandrakant Maheshwari looks back at CeFPro’s AI in Financial Services conference and explores the importance of balancing dynamic risk management skills and AI tools with human collaboration.
Chandrakant Maheshwari is FVP, Lead Model Validator at Flagstar Bank, NY
10
EXPLORING EMERGING RISKS IN THE FINANCIAL INDUSTRY
The risk landscape is constantly evolving, with new challenges constantly emerging, posing the question of how risk professionals should approach an ever-moving target
Deniz Tudor is Head of Modeling at Bread Financial
16
A NEW ERA IN RISK MANAGEMENT - LESSONS FROM SVB’S COLLAPSE How SVB’s collapse highlights crucial improvements needed in risk management and governance With insight from Emma Hagan, Chief Risk and Compliance Officer(UK), ClearBank 14
BEYOND THE NUMBERS: HOW BEHAVIORAL SCIENCE IS SHAPING THE FUTURE OF BANKING RISK
Behavioral scientist Patrick Fagan looks at how banks can reduce consumer risk by better prediction of customers’ financial actions through personalized data-driven insights
Patrick Fagan is co-founder of Capuchin Behavioural Science and The Factory AI, and a former lead psychologist at Cambridge Analytica
18
COMPLIANCE IN TRANSITION - THE IMPACT OF COMPANIES HOUSE REFORMS
Ionela Emmett argues that recent reforms at Companies House to address vulnerabilities around financial crime offer an opportunity for financial institutions to get ahead of the governance curve. Insight from Ionela Emmett, Senior Manager in Compliance and Financial Crime Policy at ICBC Standard Bank
28
DORA THE ENFORCER – WHAT DO THE EU’S NEW REGULATIONS MEAN FOR THE UK?
The EU’s new Digital Operational Resilience Act (DORA) represents a significant regulatory milestone – but what will it mean for UK businesses with European interests?
With insight from Gerard Doyle, EMEA Head of Third Party Management and Procurement at SMBC Group 22
HOW EVOLVING CYBER THREATS AND AI ARE RESHAPING BANK SECURITY
After a decade in which AI has transitioned from concept to reality, how much has really changed?
And how does AI today help to reinforce banking security?
Tom Kartanowicz, CISO for Europe and the Americas, Standard Chartered
38
Jeff Simmons is Senior Advisor at Alba Partners 24
NAVIGATING THE FUTURE OF RISK MANAGEMENT IN FINANCE – AN EDITORIAL PERSPECTIVE
Jeff Simmons on why FIs must develop actionable, resilient, and robust TP exit strategies that go above and beyond regulatory minimums, such as the imminent DORA requirements.
34
IS AI ABOUT TO BECOME THE FINANCE SECTOR’S CRYSTAL BALL?
Data is always in the past. Is that all about to change with the launch of a new research project?
Brandon Davies, former senior board member, Barclays & Ali Kabiri, Professior of Economics, University of Buckingham
UNDERSTANDING THE COMPLEXITIES OF AI ADOPTION IN THE INSURANCE INDUSTRY
From ethical concerns to a lack of cross-industry standardization, just how big are the challenges around AI adoption for insurance companies?
Ted Pine, Senior Business Development Manager, AI Insure, Munich Re
Farewell to the Year that Shaped Our Future History
Simou Managing Director CeFPro
CeFPro andreas.simou@cefpro.com
CeFPro ellie.dowsett@cefpro.com
In 2024, more than 70 countries –collectively home to more than half the global population – asked their people to decide their political future.
From the UK to the United States, India to Iceland, and Russia to Romania, 2024 was the year when the world changed. The nature, extent, and consequences of that change remain to be seen. But what is already clear is that the financial services sector will not escape its wake.
In this, the third issue of our new-look Connect Magazine, we take a moment to pause and look back at the highlights of a 12-month period that has seen the risk, compliance and governance landscape reshape itself.
Some of the movements have been seismic, with changes in government in the UK and US elections delivering decisive results, while other economically significant elections – such as those in Japan and India – saw less convincing victories.
But regardless of the margins involved, there is no doubt that the global impact on financial institutions – and on risk professionals more specifically - will be significant in the years ahead.
But then again, in the business of managing risk only a fool would underestimate the consequences of ignoring the butterfly effect.
In addition to our pick of the some of the best stories from the magazine, we also offer you new insight into how to build actionable and strategic third party exit strategies, and we take a look at how recent reforms to Companies House in the UK will impact compliance and governance.
You may have noticed that we are now offering you the chance to be a guest editor for Connect Magazine, and from January your organization will also be able to get its message out to the industry through monthly and annual advertising and advertorial opportunities.
To find out more about how you can get your voice heard through Connect, through the magazine, our newsletters, please contact any member of our editorial, marketing and sales teams. Their contact details are all included here.
We hope you enjoy your end of year festivities and everyone at CeFPro wishes our members and readers every success and growth in 2025 – it is certainly going to be an interesting time ahead!
2024: The Year the World
Changed the Rulebook on Risk
Merlin Linehan is Risk Manager for the European Bank for Reconstruction and Development and works across business resilience, crisis management, information security, operational risk and climate risk. He specialises in geopolitical and political risk, global risk, crisis management and business resilience. He is a regular presenter, writer and commentator, and has been featured by many media outlets, including the BBC, Global Capital and the Financial Times.
The end of the Cold War for many marked a new golden age of prosperity and peace. US-led globalization saw capitalism and democracy spread to new parts of the world.
While regions such as Africa remain underdeveloped, other parts of the world - notably China and Eastern Asia - oversaw rapid and unprecedented economic expansion.
However, over the last ten years new trends have cast a shadow over globalization creating new threats for multinational companies.
Competition between states over resources and technology fuelled by opposing ideologies is nothing new, but it has returned with a new intensity. A menacing wave of misinformation, increasing inequality and rapid technological change adds fuel to this fire. Most ominously of all, the threat climate change induced extreme weather and its knockon impacts in the form of migration, conflict and cascading natural disasters presents the biggest long term geopolitical risks.
These threats have pushed (geo)political risk up the agenda of boards, executives and organizations across the world.
There is a perception that geopolitical shocks increasingly threaten the stability of both countries and global businesses. But we can build resilient organizations capable of dealing with the shocks and even thriving in an increasingly fractured world.
Rising Competition
Competition over natural resources and technology is on the rise. Nations are looking to the future and increasingly realizing future of energy increasingly lies with renewable and climate technology. Additionally, advances in technology (such as AI, drones, computing) hold the key to future economic and military strength. Renewable energy and many technological advances are dependent on an advanced manufacturing base and reliable supply of critical materials such as copper, lithium, cobalt, nickel and many other materials that are the raw ingredients for solar panels, batteries, laptops, phones and many military applications.
As a result, nations are introducing policies that will give them the advantage in these sectors.
China for many years has subsidised its climate technology sector and leads the world in the manufacture of batteries, electric vehicles, and solar panels. Realizing China’s lead in this crucial sector, other powers have responded to challenge Beijing’s dominance.
The misnamed US Inflation Reduction Act (IRA) which has transformed the landscape for US energy, provides incentives for renewable energy manufacturers to invest in the sector and take advantage of tax breaks and subsidies.
The resulting boom of US climate technology manufacturing means that other countries are sure to emulate their approach, increasing global competition for market share of clean energy tech and for the critical materials that are needed to build it.
Competition over technology is also on the rise. In 2022 the US government placed export controls over semiconductor technology to China - at a stroke providing the US a military and industrial advantage while weakening a rival. This move cut the supply of chips which enable advanced artificial intelligence – a hot area in terms of technology right now.
China hit back placing restrictions over the export of technology around rare earth processing, which is an important part of manufacturing much climate technology such as electric car batteries.
Most concerning is when competition intensifies into open warfare such as the Russian Invasion of Ukraine.
Another scenario which would inflict and even deeper damage the global economy is conflict over Taiwan. Even a military enforced blockade of the island could freeze trade routes around China. Cutting off the world’s biggest trading nation would cripple the global economy and disrupt global politics in way not seen since the Second World War.
The rise of non-military measures such as sanctions, protectionism, and control over supply routes as an alternative to warfare has increased. Companies need to understand the impact of these measures or face legal, reputational or supply risks.
How can Organizations Develop Resilience?
Understanding political risk is an essential and perhaps obvious first step. By adopting horizon scanning, scenario planning and geopolitical forecasting organizations cannot predict the future, but they can understand key trends and how they might affect their strategy.
Geopolitical risks may appear abstract, but they have a direct impact on business operations, via terrorist attacks, supply chain disruption or policy shifts.
Ensuring there is a process around critical event management (CEM) function in place to triage, react and address risks of any kind is crucial. This is usually through a crisis team drawn from different parts of the organization.
What is needed beyond the CEM is cultural change. Organizations need to be adaptable and flexible, ensuring lessons from previous incidents are not only learnt, but changes implemented.
No organization will claim they don’t want to be flexible. But in reality resilience can be difficult to implement in organizations designed for efficiency.
A resilient organization will have redundancy which can look expensive until a crisis hits. This can mean crosstraining employees, additional back up systems and testing which are time consuming, but invaluable in a crisis.
Flexibility and adaptability are also essential in dealing with major incidents. Companies with rigid hierarchies and elaborate playbooks may look the best prepared.
But real life rarely follows a script and the best reactions to incidents will come from staff who are able to think on their feet and use their initiative while still guided by experienced managers.
When it comes to building resilience, a real-life crisis is best teacher. The next best is a scenario exercise. By confronting executives with realistic scenarios of geopolitical risks and then asking them to react to an unfolding situation provides invaluable education and awareness. This is particularly true of geopolitical risks which can seem abstract or distant to an organisation.
Shifts in geopolitical risk need to be met head on by companies through not only understanding the risks at stake but building a resilient organization that can absorb shocks and thrive the most challenging political shocks.
Navigating the Future of Risk Management in Finance – An Editorial Perspective
Chandrakant is First Vice President, Lead Model Validator at Flagstar Bank, New York. He has more than 15 years’ experience in Financial Risk Management (Market and Credit risk) and has previously worked with business consulting firm Genpact.
As the guest editor of the November edition of Connect Magazine, I am very excited to offer key ideas and insights that emerged from CeFPro’s AI in Financial Services conference in New York last month.
This gathering brought together thought leaders, industry experts, and practitioners to explore the transformative potential of artificial intelligence in the financial sector. The discussions highlighted the pressing need for an evolving skill set in risk management as we navigate the complexities introduced by AI and digital technologies.
Embracing Dynamism in Risk Management
In today’s fast-paced financial environment, risk management is no longer a static field. Professionals must cultivate a dynamic mindset, characterized by a relentless curiosity to explore and verify information.
As artificial intelligence (AI) tools become more prevalent, the ability to adapt to new methodologies and technologies is paramount. It is no longer sufficient to have established opinions or practices; successful risk managers must actively engage in continuous learning and remain open to change.
For more than 30 years, continuous learning has been a cornerstone of formal risk management frameworks. However, in an era marked by rapid technological advancements, the need for continuous verification and validation has never been more critical.
Risk managers must routinely assess their strategies and approaches, ensuring they align with the latest developments in AI and risk assessment methodologies.
Those who thrive will be those who seek to validate their beliefs, challenge the status quo, and embrace innovative solutions. This adaptability will enable professionals to address the complexities and uncertainties inherent in modern finance.
The Critical Role of Social Skills
As technology advances, the importance of social skills within risk management cannot be overstated. The rise of AI and machine learning has enhanced data analysis capabilities, but it has also led to a tendency for professionals to operate within their ‘bubbles’.
While technology can provide quick insights, the richness of human interaction remains essential for holistic risk assessment.
At the conference, delegates witnessed firsthand how collaboration and networking can lead to fresh insights and innovative solutions.
Historically, effective risk managers stepped outside their comfort zones to gather information and collaborate with colleagues. Today, reliance on automated systems can unintentionally diminish critical thinking and collaborative skills.
To counter this trend, professionals must engage with one another, share insights, and challenge different viewpoints. This collaborative environment fosters a deeper understanding of risks and facilitates better decision-making.
Leveraging Collective Knowledge
In the realm of risk management, the collective wisdom of experienced professionals is a goldmine of knowledge. Each individual’s unique insights contribute to a broader understanding of risk dynamics.
While automated systems can streamline data access, the best strategies often emerge from meaningful discussions and collaborative efforts.
As we face challenges in data interpretation and automated analysis, the need for critical thinking and interpersonal skills becomes even more pronounced.
The discussions at the conference reinforced the idea that professionals who actively engage with their peers will find that shared knowledge and diverse perspectives lead to more robust risk management practices.
A Balanced Approach to Risk Management
To effectively navigate the complexities of an AI-driven world, financial institutions must embrace a balanced approach that combines advanced analytical tools with human interaction and collaboration.
Organizations should foster environments that encourage exploration, critical thinking, and teamwork among risk management teams.
By promoting open dialogue and collaborative problem-solving, firms can prepare their employees to meet the challenges of a rapidly evolving landscape. This proactive approach will ultimately lead to enhanced risk management strategies and more resilient financial institutions.
Conclusion
As we look to the future of risk management in finance, it is clear that the evolving skill set required for success hinges on a combination of curiosity, adaptability, and strong social skills. While technology provides unprecedented access to data and insights, the invaluable benefits of human interaction remain irreplaceable.
Exploring Emerging Risks in the Financial Industry
Deniz has extensive experience in financial risk management, having held senior positions in a number of leading financial organizations. Her expertise spans enterprise risk management, economics, scenario planning, compliance and governance, product management, data analytics, and AI/ML.
Deniz has also taught Risk Management at MBA level in San Francisco. She holds a PhD from UCSD, a Master’s in Law (MSL) from Fordham University, and holds additional credentials from Harvard, MIT, and Yale.
In the ever-evolving landscape of finance, understanding and mitigating emerging risks is crucial for success. Chandrakant Maheshwari caught up with Deniz Tudor, to explore the challenges and opportunities that the rapidly changing landscape of emergent risk presents.Deniz heads the model development team, driving innovation across a diverse portfolio of advanced modelsand analytical tools.
What do you see as the most significant risks facing the financial industry over the next 3-5 years, and how should institutions prepare for them?
The financial industry is grappling with several significant risks, including cybersecurity, regulatory, and geopolitical threats. Cybersecurity breaches are on the rise, with increasingly sophisticated tactics employed by bad actors.
As AI becomes more integrated into systems, these threats will only escalate, compelling companies to invest heavily in robust cybersecurity measures.
Regulatory risk is another major concern, particularly with the evolving landscape of privacy and copyright issues stemming from AI usage. Finally, geopolitical tensions are unlikely to abate, adding another layer of uncertainty that institutions must navigate.
How can smaller institutions, which generally have fewer resources, effectively mitigate these cybersecurity threats?
Regardless of the size of the institution, there should be investments in IT and proper training to address cybersecurity threats. Proper training can go a long way in helping smaller institutions counter many phishing scams, for example.
With the rapid evolution of technology in finance, such as AI and blockchain, how do you think the traditional banking and finance landscape will change in the next decade?
anticipate that AI, blockchain, and even quantum computing will significantly reshape banking and finance. These technologies will drive efficiencies and enhance productivity for firms willing to invest in them and upskill their workforce.
As competition intensifies, early adopters will emerge as clear winners, while others may struggle to keep up. However, with the promise of these innovations comes the need for AI literacy and careful management of the associated risks.
What emerging regulatory challenges do you believe financial institutions should prioritize, and how can they best adapt to an increasingly stringent regulatory environment?
Financial institutions face a unique challenge due to the lack of uniform regulations across the globe. It’s crucial for institutions to stay ahead of local rule-making while maintaining a global and ethical perspective. They cannot afford to wait for regulations to catch up with technological advancements. Adopting a ‘do no harm’ ethos should be the guiding principle for compliance teams, especially regarding data privacy.
‘Do no harm’ refers to respecting human rights, the right to privacy, and addressing broader societal threats like misinformation and other systemic risks. AI can be a harmful tool in the hands of bad actors if not used properly.
In your experience, what role do you think collaboration between fintech startups and established financial institutions will play in shaping the future of finance?
Established financial institutions often find themselves constrained by regulatory concerns, while fintech startups are typically more agile and innovative. This dynamic presents an opportunity for collaboration that can benefit both parties.
Startups may lack the capital for extensive projects, but they bring creativity and efficiency to the table. foresee a trend of acquisitions over the next 5-10 years as traditional tech firms seek to capitalize on the innovative solutions emerging from the startup ecosystem, particularly in AI.
You mentioned that the partnership between fintechs and established financial institutions will be key. Can you suggest a successful example you have observed, so that readers may gain clarity?
There have been many acquisitions in the past where larger consulting companies have acquired smaller companies for their IT, platforms, etc. You can see similar acquisitions by consulting companies. I believe these trends will continue as more AI startups lead in innovation, while larger institutions that are usually slow to move internally realize the need to acquire these companies.
What trends or developments in the global economy do you believe will have the most profound impact on the financial sector in the near future, and why?
Geopolitical risks will continue to pose significant challenges, particularly concerning supply-chain disruptions. We are likely to see increased immigration from conflict zones, which will affect economies worldwide.
Additionally, the rapid pace of technological advancement raises concerns about income inequality. In an age dominated by AI, it’s essential that we promote AI literacy to ensure that no one is left behind.
The choices we make today will shape the societal trends of tomorrow, and AI has the potential to either bridge or widen the divide.
You have hit an important note in referencing growing inequality. What efforts do you think can be taken to tackle that in the present world?
The best way to deal with inequality is to upskill the existing workforce and educate the youth. see many efforts in the corporate world to upskill the current workforce, but not enough effort in schools to educate the youth and prepare them for a changing world.
Risk Evolve
The future of risk doesn’t wait for 2025.
Why should you?
Reflecting on This Year
2024 challenged the boundaries of risk management. Rising regulations. Complex operations. Rapid technological shifts.
It was a year of adapting, analyzing, and advancing. But as we step into 2025, the question is:
Are you prepared to evolve faster than risk itself?
Risk Evolve 2025 will define the year ahead - where leaders and innovators meet to shape the next era of risk management.
Looking Ahead at Risk Evolve
Risk isn’t standing still. Neither should you.
Join Europe’s leading minds in risk, regulation, and innovation this April in London.
Three transformative streams. Countless opportunities.
Make 2025 the year you lead risk’s evolution.
Hear from industry pioneers and visionaries such as:
www.risk-evolve.com
Emma Hagan CEO Dara Sosulski MD, Head of AI and Model Management, MSS
Tin Lau CRO
Youcef Ghoula Deputy CEO (DGA)
Mauricio Masondo MD, Head of ESG Credit Management
Armel Massimina Head of Opeational Risk
A New Era in Risk Management
Lessons from SVB’s Collapse:
The collapse of Silicon Valley Bank (SVB) serves as a stark reminder of the vulnerabilities inherent in the financial system, particularly in the areas of interest rate risk management, liquidity risk management, board governance, and regulatory supervision.
Emma Hagan, UK CEO at ClearBank, recently highlighted these failures at our Risk Evolve event in a session that focused on SVB’s downfall and underscored the critical lessons to be learned and applied across the financial sector.
Interest Rate and Liquidity Risk Management
SVB’s collapse was precipitated by significant missteps in interest rate risk management. The bank failed to adequately hedge against rising interest rates, leading to substantial losses on its long-term securities portfolio.
This, coupled with a lack of diversified funding sources, left SVB particularly vulnerable when market conditions shifted.
The lesson here, says Hagan, is clear: financial institutions must implement robust interest rate risk management practices, including dynamic hedging strategies and diversified funding sources to mitigate similar risks.
This article was written with insight from Emma Hagan. Emma was appointed to the position of UK Chief Executive Officer at ClearBank in September this year, having previously served as Chief Risk Officer for EMEA at Silicon Valley Bank and in various roles at Lloyds Bank and HBOS. She is responsible for overseeing all aspects of ClearBank’s operations in the UK and further strengthening the bank’s position in the UK market.
“We need to look at what happened in terms of winners and losers from SVB’s collapse, and also some of the effects, in terms of root causes.
“What went wrong and what can we learn from that in terms of risk management? What are the things we need to think about at our own firms to do differently, to ensure that we don’t suffer the same failure as SVB?”
Board Governance and Oversight
Another critical factor in SVB’s collapse was inadequate board governance and oversight. Effective risk management requires not just a well-defined strategy but also vigilant supervision by the board to ensure that the strategy is being effectively implemented. Boards need to be proactive, informed, and deeply involved in the risk management processes of their institutions. They must ensure that management is responsive to the rapidly changing risk landscape, particularly in the context of fast-growing and increasingly complex business models.
Regulatory Supervision
The failure of regulatory supervision was also a significant contributor to SVB’s demise. As firms grow and their operations become more complex, the regulatory framework must evolve to keep pace.
Regulators need to adopt more intensive and sophisticated oversight mechanisms to address the unique risks posed by modern financial institutions. This includes a greater focus on the interconnectedness of financial markets and the potential for rapid contagion effects, which SVB’s collapse starkly illustrated.
Diversification and Deposit Insurance
In the aftermath of SVB’s failure, there has been a renewed emphasis on the importance of diversification, particularly in terms of deposit insurance. With limits on deposit insurance, institutions must ensure their deposits are sufficiently diversified across different financial institutions.
This strategy helps mitigate the risk of losing access to funds if a single institution fails. Additionally, the rising interest rate environment has intensified competition among financial providers, prompting businesses to seek more favorable conditions elsewhere.
Nervousness in the Market
SVB’s collapse has also led to heightened nervousness in the market, particularly regarding venture capital investment and business model stability.
There is an increasing focus on profitability and the sustainability of business models, as investors and regulators alike seek to avoid the pitfalls that led to SVB’s downfall.
Hagan agrees this nervousness is not confined to the US but is a global phenomenon, impacting financial institutions and markets worldwide, saying: “We’re already seeing some of that play out in banking as a service and some of the withdrawals from the market, along with increasing regulatory scrutiny on those models.
“Again, this is due to the complexity and the interconnectedness of those models making it far more exposed. And they haven’t necessarily got to grips with that yet in terms of what ‘good’ looks like from that market.”
The Role of Social Media
One of the unique aspects of SVB’s collapse was the speed at which it unfolded, driven by the rapid dissemination of information through social media. Unlike traditional bank failures that played out over weeks or months, SVB’s collapse occurred within 24 to 48 hours. This, Hagan says, underscores the need for financial institutions to be prepared for rapid shifts in market sentiment and the potential for accelerated bank runs facilitated by modern communication channels.
Innovation and Risk Management
Innovation in the financial sector, while necessary for growth and competitiveness, brings with it new risks. Institutions must ensure that their risk management frameworks are adaptable and capable of supporting innovation safely. This involves not only traditional risk management practices but also the ability to manage new dynamics introduced by technologies such as artificial intelligence and digital assets.
Effective risk management in this context requires agile and innovative approaches, as well as the right expertise to navigate these emerging challenges.
Scenario Planning and Stress Testing
The interconnected nature of modern financial markets and the speed at which crises can unfold necessitate a re-evaluation of scenario planning and stress testing practices.
Institutions need to consider scenarios that involve rapid, social media-driven events and develop playbooks for reacting swiftly to such crises.
This includes ensuring that liquidity stress tests account for the possibility of massive, rapid outflows and that recovery plans are robust enough to handle such scenarios.
“I think risk management needs to undergo the same kind of shift that we’re seeing in the broader market,” said Hagan.
“Risk management still has its place. But how adaptable are our risk management frameworks and are our risk managers able to cope with fast changing market conditions?
“I think bringing in the right expertise, changing the mindset of risk teams and developing more agile and more innovative risk management frameworks is critical to ensuring risk is managed in a very safe way that exploits the opportunity without creating a huge downside risk for the bank.”
What is clear is the collapse of Silicon Valley Bank serves as a powerful reminder of the importance of comprehensive risk management in the financial sector.
By learning from the failures in interest rate risk management, liquidity risk management, board governance, and regulatory supervision that led to SVB’s downfall, financial institutions can better prepare themselves for future challenges.
As the financial landscape continues to evolve, so too must the strategies and frameworks designed to safeguard it.
Beyond the Numbers: How Behavioral Science is Shaping the Future of Banking Risk
Would you like to buy a JPG of a monkey? It can be yours for £50,000.
At least, that’s what Justin Bieber’s Bored Ape NFT (NonFungible Token) was last valued at. It might sound like a lot, but it was priced at over a million pounds in 2022.
The NFT craze is a great example of how consumer behavior – even in financial services, where you might think (or hope) that people are ruled by logic and spreadsheets – is influenced by irrationality, emotion, and bias. In this case, heuristics like the bandwagon effect and scarcity played a big role.
Behavioral science is vital for survival in financial services. Without it, you risk falling prey to customers’ biases and flaws. Over £1.2 billion is lost to fraud alone every year, and the vast majority of this is due to human error rather than technical weaknesses. All the security protocols and penetration testing in the world do little to stop a person from sharing a picture of their credit card on Instagram, for example; and the most common password in the world is 123456.
The fact is, all of us – including your customers – are cognitive misers. That means we have very limited brainpower for paying attention to the world and for making decisions. It’s impossible to put a number on it, but one guess based on sensory neurons firing in the
brain is that we’re consciously aware of only 0.0004% of everything the brain is processing at any one time.
We can’t think through all of our decisions carefully, so we have to rely on quick shortcuts called heuristics. If one bank has good reviews and one bank has bad reviews, which will you choose? It’s an immediate gut response with little careful thought – depending in this case on a bias called social proof.
This reliance on heuristics is true even when you’d think people would be careful and logical – like financial services. For example, one study found that logins to an investment app correlated with the performance of the stock market: the worse the market was doing, the less likely people were to log in. When the news was bad, they didn’t want to know. It’s called the ostrich effect.
Other examples include fluency, where people are put off by overwhelming information (one study found that every ten funds added to a pension plan reduced participation by 1.5-2.0%); or the default effect, where we tend to go with the status quo, which is why the UK’s autoenrollment pension scheme increases yearly contributions by £33 billion within ten years.
Yet the application of nudges is not just about gains. More importantly, it prevents losses and reduces risk. Take the case of fraud prevention. Some banks have
implemented a simple yet effective nudge: a pop-up message asking customers to pause and reflect before making large transfers. This brief moment of contemplation has been shown to significantly reduce the incidence of fraud, as it interrupts the automatic thinking that scammers often exploit. It takes people from a ‘hot’ state into a ‘cold’ one. It’s the same thinking behind that social media alert asking if you’re sure you want to repost that article without reading it.
In the realm of loan repayments, timely reminders have proven to be a powerful nudge, using the principle of saliency. We only act upon what is front of mind. A study by the Financial Conduct Authority found that sending personalized text message reminders to customers a few days before their loan repayment was due reduced default rates by up to 28%.
Crucially, however, nudges are not one-size-fits-all. What works for some audiences, or contexts, may not work for others. For example, saying a product is bought by every household in the country wouldn’t work for a luxury handbag; likewise, few people are scrambling for limited edition cans of baked beans.
One study sent over 50,000 letters advertising loans to households in South Africa. The researchers investigated the effect of various nudges on loan uptake – for example, simplifying the information in the letter had a significant effect. They also found that adding a picture of a smiling woman increased uptake – but only among men. The nudge worked, but only for a particular target group.
In banking, one paper concluded that the effectiveness of default options in retirement savings plans varied based on individuals’ financial literacy levels, wherein those with lower financial literacy were more likely to stick with the default option. Other studies have found that the default effect is more effective for anxious people.
It’s not just the message that can be targeted to reduce risk, but also how it is communicated. Research has shown, for example, that extroverts will respond better to bright colors, social imagery, and casual language. This kind of personality-based targeting increased the conversion rates of Facebook ads by up to 50% in one study. It hasn’t been tested in areas like fraud or defaults yet, but the potential is enormous.
The key here is that personality traits – that is, underlying behavioral dispositions – predict outcomes consistently across multiple contexts. Not only can personality predict nudge susceptibilities and messaging preferences, it can also predict banking behavior (both adverse and otherwise) – for example, impulsiveness has been linked to loan default, disagreeable ‘dark traits’ to financial dishonesty, neuroticism and disorganization to poor financial planning, and anxiety, impulsiveness, and agreeableness to scam susceptibility. If you understand a customer’s personality, you can predict their propensity towards certain behaviors, and you know the best way to message and nudge them into, or out of, acting a given way.
Crucially, since personality is simply consistent behavior, it can be predicted from the data points people leave behind – their digital footprints. An analysis of financial transaction data found that people who are less
conscientious for example (and thus more likely to possibly default) take more cash out and spend more on takeaways, while those who are more conscientious put more money into savings accounts. People who are more disagreeable (and thus perhaps likelier to be less honest with their bank) spend more money on investments and legal fees.
This kind of ‘data psychology’ approach can also be used contextually. Companies are, for example, able to predict loan defaults based on smartphone metadata – where users are more likely to default if they take more photos at night (suggesting a degree of impulsive sensationseeking), have no fitness apps installed (suggesting low conscientiousness), or have many finance apps installed (suggesting a tendency to seek credit). Elsewhere, research suggests how deception and fraud can be predicted based on how quickly or slowly people answer questions in online forms.
Overall, there is significant potential to combine data and psychology to reduce risk. It could look like this: a user’s financial footprint suggests they are high in impulsiveness and low in conscientiousness (for example, spending a lot on taxis and nights out, and less on savings), suggesting they’re at higher risk of loan default and precipitating a ‘just in time’ nudge to remind them of their payment, using a fear-of-missing-out nudge in an urgent and exciting tone of voice.
This kind of targeted psychology has been used to nudge people away from adverse behaviors in other sectors like public health – yet in financial services it is currently underexploited.
The future of banking lies not just in crunching numbers, but in understanding people. By embracing behavioral science, banks can evolve from mere money managers to true partners in their customers’ financial journeys. In this brave new world of behavioral banking, success will come not just from predicting behavior, but from nurturing it—gently nudging customers towards a brighter financial future.
Patrick Fagan is a Behavioral Scientist with expertise in nudging, comms and data psychology. He is a Sunday Times bestselling author, a guest lecturer at UCL and Lecturer in Consumer Psychology at University of the Arts in London and is a former lead psychologist at Cambridge Analytica.
Compliance in Transition -
The Impact of Companies
House Reforms
Ionela Emmett is Senior Manager in Compliance and Financial Crime Policy at ICBC Standard Bank. Prior to taking up her current role in 2022, she spent four years at Commerzbank as Head of Fraud and AML Investigations, and 10 years at CitiBank where she was AVP, Senior Investigator.
Recent reforms at Companies House intended to introduce stricter identity verification, enhanced data accuracy, and expanded investigative powers to combat misuse and financial crime have sparked widespread discussion about their implications for compliance and corporate governance.
The changes address vulnerabilities in corporate registration, improving transparency and accountability to align with evolving anti-money laundering regulations and strengthen trust in the UK’s business environment.
For financial institutions, these changes represent a challenge. But there are also opportunities to be exploited, too, with options to enhance processes, bolster due diligence, and align with evolving regulatory expectations.
The Reform Landscape: A Promising Start
The changes Companies House is undergoing are an intentional step toward increased corporate transparency and accountability.
According to Ionela Emmett, Senior Manager in Compliance and Financial Crime Policy at ICBC Standard Bank, the changes are a positive development but will take time to implement effectively.
She acknowledges that Companies House finds itself in a challenging position: “They had a new reform process with a lot of new changes, which will probably take quite a lot of time to implement. However, I think it’s a promising step forward from the government side.”
Emmett’s analogy encapsulates the gradual nature of this transformation: “You can’t make spring in one day or with one flower,” she says
A Minimal Impact for Some
For financial institutions that already operate with strong compliance frameworks, the reforms have not caused major disruptions.
“We already have a very strong, robust policy and procedure around the knowyour-client screening,” Emmett explained. “We don’t rely only on Companies House as a golden source for corporate registry. We use other tools in combination to ensure that we have adequate due diligence on all our clients.”
By leveraging multiple tools and approaches, banks can comprehensive client verification, reducing reliance on a single source of data.
The Quest for Accuracy and Reliability
While the reforms aim to enhance the accuracy and reliability of corporate records, challenges remain.
Emmett points out the inherent limitations of corporate registries, saying: “You’re never going to find that perfect database that’s going to give you super accurate corporate records. And even if the records are accurate, are they reliable? Have they been verified?”
To address these gaps, she says, financial institutions must adopt a multi-faceted approach, adding: “We do various verification to reassure ourselves and gain some extent of comfort that we have sufficient information when we decide on a client relationship.”
Policy Adaptation and Training Efforts
One of the most significant impacts of the Companies House reforms is the need to adapt internal policies and procedures, with Emmett explain that in her own organization all their KYC procedures and even their compliance procedures had to be refreshed. However, updating policies is just the beginning. Ensuring that these changes are understood and implemented across an organization will require senior teams to double down on their training and educational efforts.
“It’s not just a simple review,” Emmett emphasized. “The implementation takes time. We have to deploy a lot of training and educational materials so people can understand better the new reforms.” Perhaps unsurprisingly, face-to-face training often proves particularly effective in helping staff absorb these complex changes.
“We’re trying to deliver more training face-to-face, where people can feel closer, engage with us better, and ask questions about these new changes, because they are sometimes very difficult to absorb,” Emmett explained.
Challenges in Real-time Adaptation
What has become clear is that the Companies House reforms also pose practical challenges in real-time compliance efforts.
For example, balancing new requirements with existing due diligence frameworks requires careful integration, with Emmett confiding that while her team closely monitors legislative changes, their reliance on diverse tools ensures resilience.
“If there’s anything that we can contribute to this new implementation, we will be more than happy,” she said, adding that this proactive approach also serves to highlight the importance of adaptability in navigating regulatory shifts.
The Bigger Picture: Enhancing Corporate Transparency
The broader aim of the Companies House reforms is to enhance corporate transparency – a goal that aligns with the financial sector’s wider commitment to combating financial crime.
By increasing the accountability of corporate entities, these changes lay the groundwork for more robust governance frameworks across industries.
However, Emmett’s view underscores the ongoing nature of this transformation. And whilst the reforms provide a foundation, their success still depends on the collaborative efforts of regulators, financial institutions, and other stakeholders.
A Call for Continuous Improvement
For compliance professionals, the transformative nature of the reform process highlights the importance of being proactive in trying to stay ahead of regulatory changes and continuously improve processes.
Emmett’s approach perhaps neatly reflects this mindset, emphasizing the value of strong internal frameworks, comprehensive training, and proactive engagement with new requirements in building a more resilient compliance framework within which to work.
As Companies House continues to evolve, financial institutions will need to balance compliance obligations with strategic opportunities in order to foster transparency and accountability.
There’s little doubt that this process transformation represents a critical moment in time, and while challenges remain, there are real opportunities for financial institutions to take stock, identify where it makes sense, from a corporate compliance and governance perspective, to go beyond the minimum regulatory requirement, and get ahead of the curve.
As the reforms take root, their success will depend on the collective commitment of all stakeholders to embrace change, navigate the inherent complexities that change will bring, and build a stronger foundation for the future of compliance.
April 2-3, 2025 | NYC
In 2025, customer experience will define who leads and who follows.
The customer has changed. Have you?
As expectations evolve, digital transformation accelerates, and competition intensifies, financial institutions must balance cutting-edge digital innovation with human connection.
Introducing the inaugural Customer Experience USA Congress — the forum for senior leaders to:
• Unlock insights on blending human-centric strategies with digital solutions.
• Elevate AI innovation and data management to exceed customer expectations.
• Enhance employee experience to drive organizational success.
Customer experience is no longer a ‘nice-to-have.’ It’s a competitive edge.
Join us on April 2-3, 2025 in New York City to learn how to deliver loyalty, satisfaction, and growth in the year ahead.
your place today.
DORA the Enforcer – What do the EU’s New Regulations
Mean for the UK?
Gerard Doyle is currently Head of Third Party Management and Procurement at SMBC Group, joining the organization in February of this year. Prior to his appointment at SMBC he spent 12 years in various roles at Credit Suisse, culminating in more than 8 years as Chief Operating Officer and Head of Third Party, Operational Resilience and OCIR.
In an era marked by rapidly evolving financial technologies and increasing cyber threats, the European Union’s Digital Operational Resilience Act (DORA) represents a significant regulatory milestone.
Though the UK is no longer part of the EU, DORA’s implications for UK financial institutions are profound due to the interconnected nature of the global financial system. This article explores the impact of DORA on UK financial institutions, navigating the complex regulatory landscape that shapes this dynamic sector.
Understanding DORA
DORA aims to establish a robust framework for ensuring the operational resilience of digital financial services within the EU. The regulation mandates stringent requirements for risk management, incident reporting, and ICT third-party risk oversight. According to DORA, financial entities must “ensure that they can withstand, respond to, and recover from all types of ICT-related disruptions and threats” while maintaining continuous service and safeguarding data integrity.
Gerard Doyle, EMEA Head of Third Party Management at SMBC, says that DORA will serve to consign the traditional view of third party compliance as a boxticking exercise to history.
“I think DORA now demands broader risk management,” he says. “What management bodies and regulators want to hear now is how you manage the risk. What’s the so-what? What should be worried about that extends beyond compliance? It becomes more multi-dimensional.
“The way you measure that needs to change and thought needs to be given to how that risk management is integrated into the organization. How do we create an opportunity to be able to apply proper appetite-setting risk framework tools to help make that transition from looking at a purely from a compliance perspective?”
Cross-Border Regulatory Impact
Despite Brexit, UK financial institutions cannot afford to disregard DORA. Many UK-based entities operate across Europe or have clients within the EU, necessitating compliance with EU regulations. This alignment is critical for maintaining market access and operational continuity.
Enhanced Risk Management and Resilience
DORA’s emphasis on risk management aligns with the UK regulators’ focus on operational resilience. The Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) have been vocal about the need for firms to bolster their resilience against operational disruptions. By adopting DORA’s principles, UK financial institutions can enhance their risk management frameworks, leading to greater resilience against cyber threats and technological failures.
DORA’s guidelines on incident reporting and risk management aim to provide a comprehensive blueprint for organizations to refine existing practices, and pushes them to not only meet but exceed regulatory expectations.
Incident Reporting and Transparency
One of DORA’s key requirements is the obligation to report significant ICT-related incidents. This transparency fosters a culture of accountability and continuous improvement. UK financial institutions, by aligning with these standards, can enhance their incident response mechanisms and promote greater transparency within their operations.
Adopting DORA’s incident reporting standards ensures that UK financial organizations are not just compliant with EU regulations but can also respond swiftly and effectively to any disruptions. This level of preparedness can prove invaluable in maintaining trust with clients
This aspect of the regulation is particularly relevant for UK firms, many of which rely on a global network of service providers, since by implementing DORA’s rigorous standards, UK institutions can mitigate risks associated with outsourcing and third-party dependencies.
Compliance Challenges and Opportunities
While DORA presents several benefits, it also poses compliance challenges for UK financial institutions.
Aligning with a comprehensive regulatory framework like DORA requires significant investment in technology, staff training, and process redesign, potentially increasing the compliance burden – especially for smaller firms.
However, other organizations may view this challenge as an opportunity for innovation and growth.
The Path Forward
Navigating the complexities of DORA in the post-Brexit regulatory environment necessitates a strategic and proactive approach. UK financial institutions must stay abreast of regulatory developments, engage with industry bodies, and collaborate with regulators to ensure compliance while maintaining operational efficiency.
“Adaptability is the key word here,” says Doyle. “We’ve seen Covid, we’ve seen the Ukraine conflict, the energy crisis. We can’t always predict what’s happening in the future, but the past isn’t always a great predictor of what’s going to happen in the future either.
“So think supporting the functions that are doing the outsourcing is key to this. We need to identify from a risk and value perspective which are the suppliers that are critical to us and the business that we operate in, and then use that as a way of determining best practice.
“You can then cascade those learnings down to your other vendors, but I think you’ve you got to take a risk based approach initially.”
DORA also presents clear opportunities.
By proactively engaging with both UK and EU regulators, UK institutions can influence and adapt to the evolving regulatory landscape, ensuring they remain not only competitive and compliant, but directly influential.
As the financial sector continues to evolve in a complex regulatory environment, the ability of UK institutions to adapt to and embrace regulations like DORA will be a critical determinant of their success. By leveraging DORA’s principles, UK financial institutions can not only navigate the regulatory complexities but also position themselves as leaders in operational resilience and innovation.
Resilience Beyond Regulation in TPRM
Jeff Simmons is Senior Advisor at Alba Partners. Prior to taking up his current role he created and led the Enterprise Risk function at MUFG Securities Europe. He had previously spent 20 years specialising in best practice risk management.
In this exclusive Q&A, Jeff Simmons, Senior Advisor at Alba Partners and former Chief Risk Officer at MUFG Securities Europe, shares his insights on developing robust exit strategies for third-party risk management.
Speaking at CeFPro’s recent Third Party Risk Management event in Amsterdam, Simmons challenged the notion of regulatory compliance as the primary driver for action. Instead, he advocates for exceeding regulatory standards to build resilience.
From adapting to frameworks like DORA to managing unplanned supplier exits, he highlighted the importance of tailoring strategies to critical functions and aligning them with broader business continuity efforts.
What strategies do you recommend for reinforcing exit plans in a stricter regulatory environment?
First of all I’m not a believer in the thinking that something has to be done because the regulator demands it. An organization should always strive to be better than the regulations, and therefore as such the ‘stricter regulatory environment’ part of the question doesn’t really align with that.
Be that as it may, exit strategies are an essential part of any third party relationship, and I believe should be developed in all cases.
Having said that think it is a common experience that exit plans are viewed as unenforceable and impossible to action. So, the reaction to this is that they are not necessary. I have had direct experience with this in the Brexit entity for which I was the CRFO in Europe.
Basically we had a situation where our principal outsourcing partner was the ‘mother ship’, without them we could not survive and therefore an exit strategy was not necessary.
took a different approach, basing the strategy not so much on an IBS basis, but more around the DORA ‘Critical and Important Function’ (CIF) philosophy.
Essentially this meant categorizing my processes into a number of categories (I used 4) and then Exit Strategies were developed for each category.
For trading platforms and settlements, for example, the exit strategy assumed a wind down. For payroll services however, analyzed the impact of using a different service provider etcetera. This gave me quite a range of strategies, all of which could be tailored to the materiality of the process.
If we apply that same philosophy in the wider context (cloud services, for example) then the first reaction could be ‘Without them, we are done for, so what is the point of an exit strategy’? would apply the same logic as above. Start with the critical services – and to be clear, these should include all of your IBS’s – and analyze them against the third party service. Investigate alternatives in the event of a failure and develop actionable plans for each of those services.
It all seems obvious, but break the problem up into smaller more manageable components and deal with them from there.
How do exit plans tie into broader business continuity and crisis management efforts?
Clearly there is a relationship, but it is not direct; one does not necessarily lead to the other.
An exit plan must include clear trigger points for being invoked and obviously these must also be linked to the specific supplier agreement.
On the supplier agreement there must be provisions for their own business continuity and crisis management, and these must form a part of our own organizational framework.
What is important is the relationship between your suppliers, including, of course, concentration, as it may be that a failure in one may lead to an exit of another.
Take payroll performed in the cloud, for example. A failure of their cloud provider may also impact our organization, and so we rely on the cloud provider’s own contingency plans to get us back up and running. However, the impact on the payroll provider may be so catastrophic that we have no choice but to invoke the exit plan.
How do exit plans need to adapt to meet DORA and similar regulatory requirements?
As I’ve already mentioned, I don’t like the idea of the regulator driving best practices. In my view, they should be providing the minimum standards.
Though to be fair, DORA is an interesting case. It is very IT and IT resilience focussed (the PRA on the other hand is more business service focussed).
The implications of DORA, therefore, lie in understanding the third party IT resilience framework, and, by extension, the third parties exposure to their own third party (i.e. your fourth party), and so on down the chain of suppliers.
This is proving challenging across a number of organisations and gaining line of sight on the entire supply chain is sometimes difficult, especially when we then try to factor in exit strategies.
What provisions should be in place for potential third-party disruptions?
There is an obvious answer here, and that is that there should be clear and actionable provisions in place for such events. Simple!
However taking a step back from this we know that it is essential that third party vulnerabilities are identified through the risk management process.
To be clear, I don’t mean that this is limited to just first and second line, who obviously have a significant part to play in this as well. These risks and vulnerabilities should form part of the standard risk management life cycle.
Once identified, the provisions should reflect mitigating actions against the identified risks, rather simple really.
The implementation of these “provisions” though can be quite challenging. Operational resilience risks in particular can have severe consequences on the IBS and CIF’s that have been identified in the organization and these should form the key to the actions that are developed.
As I mentioned above, the Third Party Risk Management Framework is the driver for this process, but it must have a clear and demonstrable linkage to the organization’s IBS/CIF.
How else can you know the impact that a third-party disruption would have if that linkage is not established?
The focus on IBS/CIF has, in my view, turned organizations on its head a bit. Whereas previously we saw organizations structured around risk categories and IT assets (with separate areas for HR and Facilities) in the new regime these all form part of the IBS/CIF landscape, they are simply ‘assets’ for these important services.
So, coming back to the question, it is essential that any provisions and actions that are developed focus on the resilience of the IBS/CIF landscape.
How can exit planning be improved when offboarding insolvent suppliers?
think there is always scope for improvement, no matter what the process. Here though I think it may be slightly different.
Exit plans always have an element of planned, and unplanned exits. It is the latter that tend to be somewhat chaotic and harder to handle.
Again, the key here is the impact on the IBS and how quickly can normal service be restored in the event of an unplanned or chaotic exit from a third party. It is essential that the exit planning covers this eventuality.
Now, I know I am not saying anything which is not obvious, but for some larger suppliers finding alternative solutions quickly can be challenging, and in some cases not even possible. So, this means that exit planning needs to extend wider than just supplier replacement.
The plans need to explore the resilience of the IBS’s and the measures that would be taken in the event of an unplanned or chaotic exit.
This would need to incorporate such measures as corporate communications, transfer of some specific services to other channels within the organization, and perhaps even a complete cessation of the services in some cases.
So, yes – exit planning has to be improved beyond the regulatory minimum and factor in impact tolerance and BIA’s.
How Evolving Cyber Threats and AI are Reshaping Bank Security
In a recent Q&A session, Tom Kartanowicz, CISO for Europe and the Americas at Standard Chartered, looks at how AI has evolved over the last decade and how it is now being used to rewrite the book on bank security.
Can you talk about how third party risk has evolved over the last few years? What have been the steps of evolution, and – critically - what new management trends are emerging in response to the way third party risk has changed?
Well if I were to go back 10 years to 2014 and think of third party risk management through a cyber lens, I see incidents like Home Depot, Target, and those types of data breaches where there was a certain level of sophistication at the time that adversaries had. They were able to compromise a HVAC system, for example, and get access that way.
Fast forward 10 years, and I think we’re living through the results of our digital revolution and digital transformation. Everything is online at the speed of yesterday. So our exposure as a bank, as a firm, has just increased so much versus 10 years ago.
If I’m an adversary, if I’m a hacker, nation state, whoever, I don’t have to go after 20 individual banks. go after one vendor. I could go after a managed service provider.
So think what has changed from my lens is just the sophistication of the attacker, the complexity of how they operate. They are very smooth and sophisticated. They almost have their own third party program, they have affiliates, they have folks who specialize in initial access and lots of other things, like division of labor. And they do that the same way we do.
So seeing that has really been the game changer for me. The benefits of digital transformation used by adversaries have made my days very interesting as a CISO.
You referred there to the rapidity of change – the fact that compared to 10 years ago, change is happening at a thousand miles an hour. So with the increasing reliance on cloud services and FinTech partnerships and all of the technology that makes life ‘better’ and ‘easier’, what are the key challenges that banks face in managing third party risks – and how are you addressing those?
Again, if I was asked this five or 10 years ago, I may have had some similar responses, right? Where’s our data? How well is our data being protected? How quickly can we respond to any type of attack that’s happened?
But I’d say the twist for 2024 is in trying to be more proactive where we’re focusing more on having a specialized third party intelligence team that goes out and does proactive sweeps of the dark web, proactive sweeps of intelligence services, to look for attacks before they happen or attacks that are in flight on our vendors.
So of course everyone does the questionnaire, right? Everyone is collecting data. It’s static. It’s a necessity. It’s a necessary evil. It’s a compliance thing. I get it. But attackers don’t care about compliance rules. Attackers don’t care about checkboxes.
What is more interesting though is the reality that’s happening out there. And that’s where we’re taking a more proactive approach. For example, if we see cases where one of our third parties might be under attack and we know it before they do, we proactively tell them.
So it’s almost like we offer a kind of service to be there as a partner. And on the flip side, we know that if they’ve been attacked, our own data is at risk.
And because we know this, we have established very clear escalation procedures and data points that we can use quickly to make a decision to cut off a service or not.
So I think what’s different again compared to a couple years ago is that need to have a defined escalation criteria and a shut-down and re-enablement criteria of these services.
When attacks happen, you can’t just make up your playbook on the day. So having a clear sense of responsibility and then getting the assurance that that third party’s remediation is up to our own standards is important.
So they may have been breached, they had their attack, they recovered. Well, show us the report, show us the proof.
A few years ago, we probably were more lenient, like, we’re back online, great. You had a report done showing your environment is clean, great. Now we’re kind of challenging that and saying, okay, who did your forensics report? Are they reputable? Would we use them? And then it becomes more collaborative.
Right at the beginning of that answer, you said, if you’d been asked this five or 10 years ago, you’d probably have asked some of the similar questions. And isn’t that the fascinating thing – that no matter how quickly things change around us, the fundamental goal posts don’t seem to move. They don’t. They’re fundamentally there, and that’s where getting better and getting more efficient and using some new tools and technology comes in.
We have to give a shout out to AI here, but it does make a material difference when instead of having 25 analysts wasting time going through data feeds with a finetooth comb to weed out false positives, a tool could do that for you.
That in turn means your analyst could spend time doing higher order things, not just needle in a haystack stuff that’s very boring and a waste of everyone’s time. So we can definitely use AI to help us, but the flip side, of course, is that the adversaries are also utilizing AI to write custom malware, so again, it’s a doubleedged sword like anything else.
Clearly AI and machine learning have a role to play in enabling and facilitating risk management. So how do you leverage that and stay ahead of the game, especially since, as you’ve already said, adversaries don’t need or care about compliance?
Again, it’s all about the speed and the response time and the evaluation time. From where sit, it’s mainly significant in terms of response and recovery side of full-on incident response.
Cyber incident response today has a huge third party component. So, that’s where I see the biggest gain. A lot of the tools we rely on in the industry have elements of AI now that behind the scenes are making things more efficient.
But again, all of that has to be challenged and questioned because AI is not infallible. Mistakes can happen, false positives can happen, and you have to worry about data poisoning. Some adversaries like to feed false information into your AI. Some people want to poison the cache.
So with every great technology comes great responsibility. So it goes back to how you secure your tools, how you secure your data, how you secure your own AI tools and your vendors’ use of AI as well.
Can you share a recent example or a case study where a third party incident has impacted a bank or another financial institution and what lessons were learned from that incident?
But I think that the MOVEit vulnerability that happened last year is interesting. MOVEit is a file transfer solution and in this case a vulnerability was identified in this software that adversaries were able to exploit to get access to files.
Those files belonged to various organizations. Not just banks, but also education, government, hospitals, et cetera. And what was interesting about MOVEit was that it was a one-platform approach.
And what that means is that mayybe your third party or their third party – effectively your fourth party – uses it. But you don’t think about these things, right? It’s kind of part of that huge ecosystem.
You know, we sign an agreement with this company. Well, do they use MOVEit? I don’t know, and maybe it’s not something you know enough to ask. But then you find out they do use it, because suddenly the adversaries have your data.
Another one that’s also interesting is a company called Snowflake, who are a provider of cloud services and cloud infrastructure and in 2024 a lot of high -profile organizations in network telecommunications and banks have a nexus to Snowflake.
What’s interesting in the Snowflake attack is that they really didn’t do much wrong. The attackers were able to find users of this software distributed throughout the world and they used some kind of data scraper to get credentials to attack the endpoint the computer that those users were on.
Snowflake doesn’t mandate multi-factor authentication, they leave it up to the user or the user’s company. They leave it up to the company to enable that.
So the attackers go out, they find weaknesses in laptops, other computer systems, whatever. They get hundreds of credentials. They then collate it. They do some of their own data mining and they start attacking endpoint users to get company data that belongs to banks, telecom companies, et cetera.
So to me, that was pretty groundbreaking, and also pretty exciting and scary at the same time.
2025 is the year for clarity.
Get the insights you need - before anyone else.
CeFPro’s spring 2025 reports will deliver essential intelligence on the biggest challenges and opportunities in financial services.
Pre-order your free copies today and discover insights that drive smarter decisions and innovation.
In a time of increasing regulatory demands, inefficiencies, and resource constraints, banks face critical challenges. This report uncovers practical strategies to:
- Streamline operations with smarter, more efficient processes.
- Reduce costs while maintaining compliance and accuracy
Discover how to transform financial reporting for 2025.
PRE-ORDER YOUR COPY
The Future of TPRM: Bridging the Productivity Gap
When resources are limited, innovation isn’t optional.
Manual processes and mounting demands are holding TPRM teams back. This report explores how to:
- Harness AI to automate workflows and risk assessments.
- Break barriers to efficiency and GenAI adoption.
- Learn how to do more with less - without sacrificing accuracy.
PRE-ORDER YOUR COPY
Fintech Leaders: Insights That Drive Innovation
Navigate the trends shaping tomorrow’s financial services.
Backed by insights from 2,500+ professionals, this industry-leading report will:
- Highlight emerging trends and investment priorities.
- Spotlight the technology and players redefining the industry.
Position your organization at the forefront of innovation.
PRE-ORDER YOUR COPY
Is AI About to Become the Finance Sector’s Crystal Ball
The project you’re working on together is really about how we can build future thinking into AI, not only in terms of how AI can improve risk modeling but also in terms of how it can inform future strategy and decision-making.
Before we get into the detail of that, perhaps you can explain how you came to work together and how the project came into being.
Ali: Since the crisis of 2008, I’ve had a deep interest in credit flows, known as credit frictions, and macro-financial behavior in general – in other words, how the financial system interacts with the macroeconomy.
One of the main findings that came out of the 2008 crisis was that macroeconomics and finance were too far apart as disciplines, as areas that didn’t overlap well, but which are very important.
So a lot of my research has been about how credit behaves, and I suppose this led to understanding how credit and risk are intertwined.
I was working on a project looking at the Great Depression with Professor Harold James at Princeton where we tried to look at the psychology using computational techniques to extract the psychology around that time and human psychology extracted from the WSJ appears to have been a driver of credit spreads.
That then evolved into looking using advanced computational techniques to try to understand the current relationship between human psychology and risk in the financial system, using modern financial news data, with similar results.
Brandon: Similarly, my interest is partly related to lectures I was doing at the University of Buckingham. A lot of my lectures were derived from the work I’d done in building models for use in dealing rooms which needed to incorporate concepts of dynamic and conditional correlation rather than using set statistical probabilities.
So, we approached this project from two different angles – because if you’re actually going to teach people about markets, you need to teach them about endogenous processes, not just exogenous shocks. And (endogenous processing) models incorporating endogenous processes have become an incredibly important aspect of looking at how extreme events materialize in the banking and wider financial system.
Can you talk about your collaboration and its purpose in a little more detail?
Ali: In this project we’re aiming to harness the expertise of financial professionals and the power of large language models – to train AI models.
Brandon: And that has lots of implications for the industry because one of the problems with very large language models is they tend to have to store the data on the cloud. I’ve
had innumerable discussions with regulators over using the cloud and their concerns, particularly about losing control of data and possible single points of failure.
In my experience, they tend to much prefer the idea of everybody looking after their own data, because that way they are looking over multiple points of failure, and attacking lots of systems is much more difficult than one or two.
Building models based on language brings its own problems. For example, you’ve got the problem of assigning scores to specific phrases in large language models, and language is highly contextual.
The finance industry’s interpretation of words and phrases will be dwarfed by lots of other interpretations of it – so if THE model’s data is not well trained, the models can get confused and your results will suffer accordingly.
We also think that if we can apply human expertise through appropriate training of the model data we can bring the data requirements down to about one percent of what we would do normally just using a large language model without appropriate training. And the same reduction probably applies to the analytics side as well.
And you’re using a lot less time because you’ve got a lot less data to use. So, your models become much more powerful. And, therefore, much more available to a lot more people, and a lot more of the industry. So, it has big implications.
Can you give us a broad example of how the financial services sector might use the work that you’re doing in a practical daily sense?
Brandon: From an industry perspective, always contrast this with when I first went into a dealing room and all we had was analog data. Now that’s going to sound weird, but some of us will remember the old TV sets that were really just great big vacuum tubes and all they did was display an image. There was no data capture in that tube.
That was also true of dealing rooms, where every screen was an analog screen. But at the same time, we were getting more and more interested in analyzing the market and its behavior and, potentially, projecting where it was going. And for that we needed a lot of data.
The first step we had to take was to pixelate a screen in order to work out where the pixels for the data appeared on a screen, and then capture it into what we today would call a PC or a server.
And that was the beginning of a whole new industry, because then we had data. And once we had data, we had models, and once we had models, we could start to analyze specific scenarios and projections.
But the big thing missing from all models is future data, because there’s no such thing. All data has already happened – or it might be happening in front of you, but it isn’t in the future.
The interesting thing about using AI and, in particular, large language models, is that you’re getting a different picture of the future. It’s not a picture that’s just a projection from the past. It’s actually what people are thinking today about the future. And that is, I think, very exciting for future modeling of markets and future modeling in economics.
It means we can start to look beyond historic data and start looking at what’s going to happen and, and analyzing that, rather than just having our own educated or informed opinion, so to speak.
Ali: To a certain extent, we still don’t know exactly what we can get from the data, but our preliminary work suggests that there is very useful information about behavior that looks forward. So how would we contrast that to what is done presently?
There’s some excellent work being done using survey data to try and glean what people are thinking about the future. But survey data tends to be very infrequent, and this is a way of harnessing people’s thoughts and perceptions about the future almost instant second by second at a very high rate of frequency.
Presumably, then, if you extrapolate the work that you’re doing and you look at how you might map that into a financial services organization, you’re talking about creating tools that will allow those organizations not only to refine their revenue generation activity, but also to make their risk management models more effective, more dynamic and faster.
Brandon: Absolutely. The ability to apply models changes out of all recognition, and this is where it’s going. It’s not just about replacing people with machines. That’s not what it’s about at all. It’s using a whole different way of thinking about analyzing potential and forthcoming events and trends.
Ali Kabiri is a professor of economics at the University of Buckingham and Brandon Davies has spent half a century working in the financial services industry, held senior positions on banks, FinTechs, was on the management board at Barclays and has a passion for artificial intelligence and how it impacts our work, particularly in the financial services sector.
Other models will have their role as well. don’t think we’re going to see one model. Far from it. I think there’ll be thousands of them.
So what is it that you now need in order to inform the work that you’re doing?
Ali: We need domain expertise to help us train this model. Specifically, it involves taking part in a survey where respondents will be asked to look at financial news text and give responses on a scale of, say, minus five to plus five based on various questions.
Those questions will be about that text – how they perceive it, how they may react to it. That’s the main task – to get their knowledge into the large language model so their responses can essentially be used to train it as if it were seeing the data as they would see it. And then it can be applied in real-time.
Brandon: The idea is to help the model to learn phrases and understand what they mean in order to apply them to new data. The model would have to probably need to be refreshed every so often, but we desperately need this kind of this kind of engagement.
Of course, we know the engagement has to go both ways. So, in return for their engagement, what we’re offering is the opportunity to learn, in quite some detail, how large language models operate, how we train them, how they can be applied in their own field, and so on.
I think AI is going to be the future of just about everybody’s career, just as the move from analog to digital was 40 years ago and getting an understanding of how that is going to be very, very important for the future of anybody’s career in finance.
Ali: One of the big debates in academia at the moment is the speed at which these models are advancing, which means that they are the highest end. But right now, the models are behind closed doors, and so there’s a big effort in academia to keep these models visible.
What are your thoughts on the evolution of AI? It’s growing so fast that sometimes it feels a bit like a runaway train, doesn’t it?
Ali: It’s moving very quickly. AI in general has many different aspects, so in many dimensions, I think we’re seeing exponential discoveries, and yes, it’s a very exciting area.
Brandon: It’s very exciting. It isn’t, in my view, unprecedented. can remember putting these initial computers in a dealing room. And at that point – and I have photographs of this –there are only about six desks in a 300-desk dealing room. Yet 12 months later, there was hardly anything left of the analog world, not least because the big information providers were also going digital.
The digital world took over at astounding speed and completely revolutionized everything we were doing across all the markets. We had digital data on everything from commodities and currencies to debt instruments, bonds, equities, you name it. we could develop new products we literally could not have thought of in an analog world. Well, the same thing is likely to happen here, think.
So effectively, the message seems to be get on the train, or you’ll be stuck at the station.
Ali: I think so, but to a certain extent, nobody actually knows. It’s very complex. AI certainly will be part of everyone’s lives and undoubtedly a part of the future of the finance industry, as a leader in the technology area. But that’s why think engaging with it is probably a sensible strategy.
From underwriting and claims management to fraud detection and compliance, AI has unlocked unparalleled opportunities for insurers. But with rapid advancements come critical challenges that must be overcome… Join
at CeFPro’s inaugural AI in Insurance Summit, where leading insurers, regulators, and technology experts will come together to:
• Explore cutting-edge applications of AI in insurance.
• Share insights on balancing innovation with compliance.
• Tackle implementation hurdles and build frameworks for success. AI
Understanding the Complexities of AI Adoption in the Insurance Industry
Over two days on October 7 and 8, some of the leading figures across America’s financial services industry will convene in New York for CeFPro’s flagship AI in Financial Services event. In this article, based on an interview with Ted Pine, Senior Business Development Manager with Munich Re Insure AI, we take a sneak preview of some of the key issues facing the insurance industry when it comes to AI adoption.
As the use of AI continues to surge within the financial services sectors, the insurance industry stands on the precipice of a significant transformation.
Ted Pine, an AI underwriter at Munich Re, one of the world’s leading reinsurance companies, has been at the forefront of this evolution for the past two years. With Munich Re underwriting AI risks for six years now, Pine offers a unique perspective on the challenges and opportunities that AI presents to the insurance sector.
Challenges of Adopting AI in Insurance
The adoption of AI in the insurance industry is not without its hurdles. Pine highlights that the key challenges are closely intertwined with the ways in which the industry is addressing them.
“If you look at AI and the use cases to which it’s currently being applied in insurance, you’ll find that because the technology, particularly generative AI technology, is so new, insurers at this point are kind of controlling their risk, mitigating their risk, if you will, by picking very familiar and well-known use cases to automate,” he explains.
Indeed, one of the primary strategies the industry is employing to mitigate risk is to start with established, low-risk applications. For instance, many insurers are using AI in customer service chatbots—an area where the industry has decades of experience.
Pine notes, “We have a lot of experience understanding what a successful customer experience mediated by automation looks like. We also know what the risks are and what can go very wrong.”
By applying AI to these familiar scenarios, insurers can test the technology’s effectiveness without exposing themselves to significant financial or reputational harm.
Ensuring Ethical AI Use
As AI continues to evolve, concerns about its ethical use, particularly in terms of data privacy and algorithmic transparency, have become increasingly pressing.
Pine emphasizes that the insurance industry, like any regulated industry, has been grappling with data privacy issues for decades.
“AI in and of itself should not change either your risk appetite, as far as the use of data goes, nor should it change your rules of the road around how you’re going to use data,” he says.
However, AI introduces new challenges, particularly when it comes to combining different types of data.
“One of the big issues with AI is that you may be tempted, particularly in the name of something like customer service or building an internal knowledge base, to combine types of data that you haven’t done before, because AI is very good at that,” Pine cautions, stressing the importance of asking basic questions about data usage and potential leaks whenever new data sets are integrated into AI systems.
Pine also touches on the ethical dimensions of AI, arguing that a company’s AI ethics should align with its overall corporate ethics. “Just because it’s a new technology, and just because it has new capabilities doesn’t mean you throw out the rule book of what your company considers to be ethical practice,” he says. Yet, transparency remains a challenge, particularly when it comes to understanding how AI models arrive at their decisions. “Unfortunately the answer at the moment is that you can’t,” Pine admits. This opacity
underscores the need for robust risk management practices to address any residual risks that AI models may introduce.
Emerging Trends and Future Directions
Looking ahead, Pine identifies a significant gap in the industry: the lack of standardized frameworks for managing AI deployment: “There’s no established standard or framework against which we can manage our AI deployment practices,” he notes.
And he says that whilst best practices can be shared through professional discourse, the absence of formalized standards poses a challenge for the industry as a whole.
Pine envisions a future where standardized practices will enable companies to present a comprehensive inventory of all AI models in use, along with detailed documentation on data sources, model performance, and incident management.
Such standardization would not only enhance operational efficiency but also facilitate the creation of a more robust market for underwriting AI risks.
“Eventually, what every company wants to move to is being able to present an inventory of all the models that are in use, and where the data came from,” Pine suggests, adding that this level of transparency and documentation would be crucial for insurers to accurately assess and price the risks associated with AI.
Overcoming Stumbling Blocks to Widespread AI Adoption
Despite the potential benefits, widespread adoption of AI in the insurance sector is still in its early stages. Pine believes that the key to overcoming this inertia lies in gaining experience over time: “The function of adoption is really going to have to do with experience over time,” he says, pointing out that most companies are currently focusing on low-risk, utilitarian applications of AI.
Pine also highlights the importance of understanding the different ways in which AI technologies can fail compared to legacy systems.
“What we’re going to see as people get up the curve is that the more pedestrian, or more lunch bucket utilitarian applications are the ones that are going to be done first,” he predicts, going on to say that by starting with these low-risk applications, companies can learn from the errors and refine their AI strategies before moving on to more complex and higher-stakes use cases.
In practical terms, this cautious approach means that many companies are initially deploying AI in areas where the consequences of failure are relatively minor.
Pine recalls a conversation with an insurance professional about a chatbot use case in which they discussed exposure appetite.
“If the bot is recommending something that could lead to grievous economic harm when it hallucinates, you probably won’t put that into production,” he says.
However, in less critical scenarios, where the risks are more manageable, companies can afford to experiment with AI-driven solutions.
Ted Pine’s insights shed light on how insurers are cautiously navigating this new landscape, starting with familiar applications and gradually expanding their use of AI as they gain more experience.
While ethical concerns and the lack of standardized practices remain significant hurdles, the potential benefits of AI in areas like customer service and internal knowledge management are undeniable.
As the industry continues to learn and adapt, it will be crucial to develop robust frameworks for managing AI risks and ensuring that these powerful technologies are used responsibly and effectively.
Event SUSTAINABLE FINANCE EUROPE
London, United Kingdom 25-26
FEB View details >
www.cefpro.events/sustainable-finance-europe
Event CUSTOMER EXPERIENCE USA
NYC, United States of America 2-3
APR View details >
www.cefpro.events/customer-experience-usa
Event RISK EVOLVE
London, United Kingdom 2-3
APR View details >
www.risk-evolve.com
Event AI IN INSURANCE EUROPE
London, United Kingdom 4-5
JUN View details >
www.cefpro.events/ai-insurance-europe
To view our full upcoming events calendar click here or visit, www.connect.cefpro.com/upcoming/events
