To date there have been two prevailing narratives around financial services. The first is that of information technology driving disruptive innovation, creating new products and services while at the same time destroying, or at the very least significantly impacting, established business models. Examples? The mainframe gave rise to the ATM, the Internet enabled online banking and Web 2.0 drove the creation of banking apps and person-to-person payments.
The second of the two narratives is that of organised crime moving in apparent concert with technology innovations to identify and swiftly exploit weaknesses and vulnerabilities for fraudulent gain. The fraudulent typologies used by organised crime have mirrored the development of the products, from stolen cards and cheques to ever increasing levels of sophisticated cyber-attack, ranging from advanced persistent threats such as remote access Trojans, to focussed attacks upon weaknesses in internet protocols.
If there is a common thread to these linked narratives, it is the increasing speed of change, particularly in the areas of retail banking and payments, and the ability of organised crime to respond with equal rapidity.
A new narrative
Consequently, a third narrative is swiftly emerging. It is the convergence of fraud risk management and IT security to overcome the limitations of the traditional model of separated functions operating largely in siloes where communication and shared understanding is significantly constrained.
The new narrative emphasises the critical need for change, as existing risk management frameworks increasingly fail to guard the institution from attack and financial loss—with resultant damage to both reputation and regulatory relationships. It also emphasises the need to design agility into financial institutions’ risk management processes to facilitate a proactive response to both innovation and criminal threat.
Challenges to convergence
There will be challenges to convergence, not least the need for practitioners in both the risk management and the IT security fields to adopt the skills and outlook of the other. Fraud risk management staff will need to extend their outlook to consider the relationship between their day-to-day challenges with IT, whilst those in IT will similarly need to understand their challenges and impacts from a business perspective. Senior management buy-in and governance will be crucial to successful convergence.
The following key steps will be important:
- Merging the governance structures of the two functions, then aligning roles, responsibilities and reporting lines
- Cultural assimilation in the form of common terminology and frequent communication
- Visibility of risk and performance indicators to facilitate swift and unified threat responses
- Harmonisation of policies and standards
- Identifying and procuring new skillsets
How long will all this take? Such a multi-layered change will be a marathon, not a sprint. Banks, capital markets and insurance firms will be sequencing and iterating this carefully over months and years, across multiple geographies and divisions. However, the scale of the challenge does not detract from the fact that those institutions making the jump will develop key competencies to help increase the strength and agility of their risk management frameworks. This can be a key differentiator from their peers, a factor crucial for success in an ever-changing competitive and technological environment.