Feb. 20, 2017
By John A. Epperson, CAMS, CFE and Clayton J. Mitchell, CAMS, CFIRS
The digital disruption that is reshaping financial services mirrors similar disruptions that have upended traditional practices and expectations in a number of industries. Consider the responses of Netflix to incumbent cable providers; Uber and Lyft to the taxi, car rental, and auto retail industries; and Amazon to the big-box stores that long dominated retail. What makes financial technology (fintech) companies – a driving force behind much of the innovation in financial services – different from disruptors in other industries is their close proximity to consumers’ livelihood.
The level of access that financial services providers have to people’s money and sensitive personal information gives companies in the industry a great deal of responsibility and also puts them at risk if they fail to uphold that responsibility. And yet, even some of the most savvy and innovative fintech companies lack the discipline and structure needed to effectively manage the many operational, reputational, and regulatory risks that they face.
Caution Absent in the Face of Fast-Failure Innovation
Part of the challenge is a conflict between the fast pace of innovation and the more deliberate processes of managing risk. Like innovators in other fields, many fintech companies operate based on a fast-failure approach. They move quickly and accept mistakes as a necessary evil in the course of innovation. Autonomous engineers or technologists adapt and improve the technology underlying a product or service bit by bit over time.
Coordinating this iterative process with risk management can seem cumbersome – or even detrimental to the spirit of innovation. However, when innovation is not paired with a systemic and fully integrated risk management framework, companies risk running afoul of their regulatory or compliance responsibilities. It is all too easy for an isolated engineering staffer or team to tweak the performance-enhancing technology and cause unintentional harm to consumers in the process.
Navigating the Regulatory Web
Compounding the challenges surrounding risk management for fintech companies is the lack of a unified regulatory regime. Several regulatory bodies have rulemaking or supervisory authority over fintech firms: state financial institution examiners, licensing agencies, federal functional regulators, the Consumer Financial Protection Bureau (CFPB), and other stakeholders such as banking partners.
With all of these regulators playing a role, but without a single leading regulatory scheme for fintech companies to follow, there is a great deal of confusion over coverage of rules or expectations, who oversees whom, and where true regulatory risk lies. Many fintech companies and their banking partners are uncertain about which laws and regulations apply to them, and many struggle to document and justify their interpretation of the rules.
Confusing the process further is the diversity of business models in fintech, which includes hundreds of niche and unique approaches to financial services. Regulatory guidance that applies to a digital currency platform might have limited relevance to a payment company, wealth management platform, or loan provider, and vice versa. This poses challenges for regulators trying to design – and for companies trying to decipher – rules and regulations for products that, in many cases, did not even exist five years ago.
More Clarity on the Horizon?
The Office of the Comptroller of the Currency (OCC) has recognized an opportunity to simplify the regulatory landscape for fintech providers and has launched an effort to study innovation in financial services with the goal of developing a framework to support responsible innovation.1 As part of this ongoing initiative, the agency announced in December 2016 its intent to create a special purpose national bank charter for fintech companies.
Through this process, the OCC aims to promote safety and soundness in the banking system, particularly given the abundance of new and innovative products and services – all of which represent new potential risks to customers. The OCC also is seeking to promote innovation, which the agency acknowledges has the potential to make financial services more efficient and accessible to a wider range of U.S. consumers. For fintech companies, an OCC-granted special purpose national bank charter would create a more straightforward set of federal laws and regulations, coordinated by one primary regulator.
In the meantime, however, companies would be wise to be proactive in establishing clearly defined and sustainable governance and risk management practices.
Integrating Risk Management Across Business Lines
Risk management should be integrated into decision-making and operational activities – all the way down to those seemingly minor tweaks to the technology that can have cascading effects across an organization. A successful culture is one where communication and collaboration are encouraged across business lines, development teams and engineers, compliance departments, and back-office operations. This type of culture is defined by the actions of those at the top of the organization, as company leaders must set an expectation that risk management should run parallel to all company initiatives.
To integrate risk management more fully across the organization, companies should:
- Assess the operational, reputational, and regulatory risks to the business
- Identify gaps where controls or processes for managing the risks are missing
- Design a plan to prevent and mitigate risk
- Execute on the plan
Companies should begin by assessing the strategic, operational, reputational, and regulatory risks they face. The fast-failure approach quickly can ignite issues across all of the risk categories. Companies need to assess their structure and sustainability of controls, the environment in which they operate, and leadership’s discipline level, to evaluate whether these areas are set up to coordinate risk management and operational progress. Leadership should explore the top risks that threaten the business and assign priority to the risks.
Having assessed the risks, companies need to identify areas where controls or processes for managing risk are absent. Often, these gaps represent the gulf between risks and the risk appetite of the organization. Different levels and types of risk will be acceptable to different organizations based on strategy and culture, and a company’s risk appetite should drive the design and execution of its risk management strategy and execution plan.
Companies should then design a road map, which includes the activities, controls, and processes that are intended to either prevent or mitigate risk. The question of whether a certain risk should be managed through prevention or mitigation will be driven by the potential impact of the risk and the available resources. The company should have people, procedures, and technology in place to implement and maintain these processes and controls.
Finally, having assessed the risks, identified gaps, and designed a risk management plan, companies should deploy the resources necessary to execute on the plan. Appropriate governance, including clear lines of accountability, is paramount to disciplined execution.
Areas to Strengthen
Designing, implementing, and maintaining an effective risk management culture is a significant undertaking. Weaknesses in the culture can create vulnerability, and companies should be alert to the following common areas of weakness:
- Compliance culture
- Risk assessments
- Monitoring and testing
- Complaint management
- Corrective action
Compliance culture. Often, fintech companies have more in common with technology startups than with financial services companies, and this is particularly notable when it comes to maintaining a compliance management system (CMS). A CMS framework establishes clear roles and responsibilities for governance, starting at the top of the organization. The framework details policies and procedures for risk assessment, training processes, and change management, and it names accountable parties for different risks.
Compared with banking peers, many fintech firms generally have less mature compliance cultures. As a result, when subjected to increased regulatory scrutiny, they are not able to pass muster. Disjointed processes and a lack of a comprehensive and well-orchestrated CMS exposes companies to considerable risk, particularly as regulators apply bank-like expectations to fintech companies.
Risk assessments. Many companies fail to move beyond the assessment of inherent risk to the next logical steps: identifying gaps in the control structure, then closing those gaps through the establishment of controls that can protect against the variety of risks that the company faces. All too often, risk assessments are conducted purely as a compliance exercise rather than with an intention to drive sustainable business value. The fundamentals of sound risk management include not just identifying risks but assessing the control environment supporting those risks and continually aligning an organization’s resources, infrastructure, and technology to pockets of unmitigated risk.
Monitoring and testing. Monitoring and testing are important functions of the risk management process, but companies often do not understand the difference between the two and why both are important. Monitoring is an ongoing process that involves the use of data and information to regularly assess key performance indicators (KPIs) and key risk indicators (KRIs) so that a more comprehensive analysis is triggered when something is outside of expectations. Testing is a detailed periodic review of the controls and their outputs to determine whether the controls are set up to allow the company to maintain an appropriate level of risk and compliance.
Experience has shown that fintech organizations and, in certain instances, regulatory agencies struggle to distinguish between monitoring and testing. When executed properly, the two processes should provide assurance that the risk strategy is being maintained and complied with, both on an ongoing basis and in the form of periodic in-depth challenges to the organization’s procedures.
Complaint management. In many cases, customer complaints are the best insights into customer experience that companies can get. However, many organizations struggle to step back from the tactical aspects of addressing individual complaints in order to dig into a deeper issue that the complaint may be indicating. While seeking to understand the factors driving customer complaints is a worthwhile endeavor for any business, this exercise is critical for financial services companies, which face substantial fines and penalties for adverse impacts on consumers.
When a complaint comes through, organizations should do root cause analysis to understand what is driving the complaint – and whether there is a way to mitigate similar complaints through systemic change. For example, a company might get lots of customer complaints about the types and amount of fees they are charging. Rather than handling these complaints in isolation, the company could examine whether the disclosures provided to customers at the inception of the relationship are clear, conspicuous, and understandable. The best response to the complaints might be to incorporate common language that is clearer and easier to understand. By improving disclosures, the company might be able to cut down on complaints about fees.
In addition to digging into grievances from their own customers, companies also can use the CFPB’s Consumer Complaint Database to explore the types of complaints that have been filed with similar organizations. This search can serve as a crystal ball of sorts for issues to consider – and as an overall indicator of risk across the industry.
Corrective action. Finally, companies should have a feedback loop and appropriate accountability structures that allow them to track, monitor, and test any issues after corrective action has taken place.
Enablers of Success, Rather Than the Office of “No”
To be successful, a fintech company’s core business strategy must be aligned with risk management. When the larger business strategy is disconnected from risk management, the results can be toxic. For example, an antagonistic relationship between the compliance or risk management team and the business leaders can make the entire business grind to a halt. Rather than being the “no” office, risk management and compliance can enable success when these departments are aligned proactively.
1 “Supporting Responsible Innovation in the Federal Banking System: An OCC Perspective,” Office of the Comptroller of the Currency, March 2016; “Recommendations and Decisions for Implementing a Responsible Innovation Framework,” Office of the Comptroller of the Currency, October 2016; “Exploring Special Purpose National Bank Charters for Fintech Companies,” Office of the Comptroller of the Currency, December 2016.