VIEWPOINT

RATIONALIZING CONTROL SYSTEMS TO MITIGATE RISK

Banks are at a crossroad. They must balance regulatory compliance while keeping costs in check. Using a control structure based on an agile risk management framework can achieve both objectives. Lax controls cost banks money. A lot of systems exposes banks to risks and an inflated and inefficient structure money. An astounding $20 billion was poses threats to their success. that slows down an organization’s paid out by banks in the three years decision-making ability. between 2012 and 2015, according to Control systems hold • Mapping. Controls are often Bloomberg. And this was only for lax not designed at the optimum 1 money laundering controls. If total banks back level and are not adequately fines are considered, banks have paid documented. Furthermore, control But in many cases, control systems out $321 billion in less than a decade systems versioning becomes slow have gotten out of hand. They leading up to 2016.2 And money is not as additional documentation have become too complicated and all they lose. brands face a loss of is required, and it is difficult to onerous, often overlap, and are reputation and of senior management, obtain consensus from all users for very expensive to manage. The past as heads roll through resignations after the updates. few decades have seen banks build each compliance failure. multiple control systems to shore up • Review. There is an absence of a From the collapse of Barings Bank their integrity. Within each bank’s continuous process to design and in the 1990s3 to the “2010 Flash divisions — investment banking, review control structures. Auditing Crash” that dragged the Dow Jones retail banking, commercial banking — control systems to reflect emerging Industrial Average down 9%,4 the various control systems were created business changes or issues is limited. Often, this knowledge inability of banks to manage risks that were considered appropriate resides within individuals, while or criminality has had catastrophic at the time but were no more than organizations don’t have a fair impacts on institutions and the bandages for a bullet wound. These understanding of these systems, industry as a whole. Governments and systems operate in silos and generally their usage and the impact of regulators across the U.S. and Europe don’t communicate with each other. any breach. introduced numerous regulations and Quite often, these control systems bodies that aimed to increase capital compete with each other and negate • Lack of standardization. Control requirements, restrict bonuses paid the objective of building risk-proof systems are not standardized. to bankers, protect consumers and businesses and institutions. While Many of them are developed on strengthen regulatory powers. Some certain risks are well understood, risks an ongoing basis, and the process of these include the Dodd–Frank emerging from unorganized control through which they are deployed Wall Street Reform and Consumer systems are misunderstood and needs a second look. Protection Act, the Consumer Financial wrongly acted upon by the industry. • Exposure to fraud consequent Protection Bureau, the European to control weaknesses. Internal Within a bank, each business unit Banking Authority, the Housing and operations, people or external tends to treat control systems Economic Recovery Act, the European activities may compromise the differently to suit their current Securities and Markets Authority, effectiveness of control systems. requirement; some units consider and the European Insurance and Multiple ways of maintaining their control systems strong, while Occupational Pensions Authority. control systems can jeopardize how others may consider the same control they are leveraged to manage risks. Control systems are designed to help systems as an impediment that slows financial institutions comply with down their processes to deliver While control systems are generally regulations. Banks have adopted services or make informed business well defined for business-critical control systems that help track decisions. Existing control systems processes, trivial matters are often overlooked. For instance, providing banking practices such as auditing suffer from a host of other issues, an employee or external contractor standards, regulations and operations. including: Efficient control systems allow banks with access to an application can result • Duplication of risk and control. to operate at ease and act swiftly. in a breach of security or increase Correlation, intersection and When set up effectively, these systems the probability of internal fraud. This duplication of controls occur increases the importance of why each help avoid erroneous activities, because of multiple, overlapping control system or procedure must be fraudulent transactions and banking and conflicting lines of reporting analyzed and understood to arrive at irregularities. They act as a vigilant and responsibility. a robust framework and policies to watchdog of the bank, helping foresee govern controls. probable issues that could impact the • Bottom-up approach to control bank and prevent or minimize any systems. Control systems are One might think that multiple control future losses. Lack of effective control treated equally regardless of the systems increase a bank’s robustness underlying risk profile. This leads to and enhance security. And yet,

External Document © 2019 Infosys Limited multiple banks seem to continue to is increasingly considered as the new are historically structured, how they falter. In 2019, the European Union “more” in control systems design. continue to be structured and whether fined five large banks €1.07 billion for organizations can respond to day- rigging the foreign exchange market to-day changes. This provides an between 2007 and 2013.5 Back in 2012, Rationalizing control understanding of how processes are the brought out the dark systems… laid out and helps organizations get underbelly of large trading houses and attuned to the changing scenarios. Banks are rethinking how control resulted in banks paying over $9 billion systems can be redefined and The risk office can be provided with an in fines.6 rationalized. Their siloed approach to intelligent digital dashboard to allow them to have a holistic view of the According to United Nations estimates, control systems does not provide an entire gamut of control systems. This the amount of money laundered end-to-end view. Rationalization can globally in a year is between 2% and helps manage more with less, with a help achieve that. It is a process of smaller team managing organization- 5% of global GDP, or $800 billion to $2 continuous improvement that analyzes 7 wide control systems. A centralized trillion. This is forcing banks to rethink existing controls and aligns the control control repository helps build a robust their strategy on control systems. structure with risk to improve efficiency and agile organization that responds Rather than focusing on multiple and strategic effectiveness. All controls to changes much faster and in a control systems that operate in silos, are not equal — some are more linear fashion. they are looking at building a network strategically important, while others of control systems that communicate mitigate significant risks. Controls must with each other. Ultimately, the risk be analyzed and prioritized based on …through a dynamic office needs to use control systems their objective, the level of granularity framework to gain an end-to-end holistic view needed to provide assurance levels and A control systems framework can be of activities. This by its nature is the impact in case of their failure. a complicated and ever-evolving structured through a matrix of risks Control systems rationalization involves and impacts, as indicated in Figure 1. environment to map. However, “less” understanding how organizations Different services need to be rated

Figure 1. Control systems framework – risks and impacts

Internal control system risk External control system risk Key services People Technology People Technology Domain Risk Impact Risk Impact Risk Impact Risk Impact Research and sales Trade execution M&A Asset servicing Underwriting and Syndication Investment Banking Investment Risk management and Corporate advisory Portfolio construction Asset allocation Trade execution Asset servicing

Private Banking Private Tax management and Compliance

Wealth Management and Management Wealth Custody and Trust services

Low Medium High Note: Impact ratings are illustrative Source: Infosys Limited

External Document © 2019 Infosys Limited on their risks and impact levels by The industry must assess their business • Removal of control duplication people and IT within and outside of the towers, supporting applications and brings in efficiency for testing and enterprise. Services that are generally infrastructure to form an integrated monitoring controls and higher considered high risk-high impact are plan of building advanced warning reliance on the testing process. those that pose a threat to the front and risk-mitigating control systems. office, those that support M&A and According to Dr. Ashok Hegde, vice those that support accounting and president at Infosys, “Control systems portfolio strategy executions. For Benefits of rationalization can result in 15% to example, information leaked on M&A 17% overall cost savings.” He estimates could be highly impactful as it could rationalization that this would also reduce regulatory- affect the reputation of the firm, have Adopting control optimization can related fines by 70% to 80%, as well as legal and compliance repercussions, lead to significant benefits of an improve the brand of the organization and influence pre-merger discussions. as less time is spent in front of Trading applications also hold integrated compliance framework the regulator. sensitive client information. Securing that improves the risk and control them and having a well-thought-out environment: control procedure and infrastructure • Simplification and standardization Six steps to success are critical. of controls can lead to The framework is not sacrosanct. lower costs and improved Rationalizing control systems is Control systems are always changing operational efficiencies. a complex process that can take and are complicated by nature. Banks anywhere between nine and 14 • Risk-based approaches result in need to simplify them yet keep them months to complete end-to-end, flexible. Different activities carry enhanced effective and efficient risk according to Dr. Hegde. Indeed, the different risk levels with different assessment processes and better- first four to five months are spent impacts at different points in time. aligned risk coverage through simply on documenting all the Ratings can vary depending on identification of key controls. how the cluster of applications is control systems and mapping their grouped in an enterprise and the • Control automation and automation relationships out. Dr. Hegde outlines tasks those applications perform. testing bring in efficiencies and six steps to help banks rationalize their The framework provides a base to lower the cost of compliance. control systems: deal with risks in financial services.

Figure 2. Steps to help banks rationalize control systems

Step 1 Understand and view all processes. Assess or map control systems and document the whole process.

Step 2 Identify conflicting genres. Any conflicting controls are identified and rectified. This enables the organization to become more secure and improve efficiency.

Step 3 Identify complementary genres, where control systems supplement each other. This helps avoid unnecessary processes and makes the processes more robust.

Step 4 Club or consolidate control systems. Create a centralized dashboard of the control systems that can be managed on a day-to-day basis.

Step 5 Build a digital dashboard that provides insights into how control systems can be leveraged to mitigate risks and improve business agility.

Step 6 Set up governance. This includes a governance body for periodic review. The chief risk officer should oversee the governance function.

Source: Infosys Limited

External Document © 2019 Infosys Limited be limited to identifying threats but beginning has been made. With a Quicker, faster, stronger should also recommend preventive more integrated and rationalized set of Rationalizing control systems makes measures. With the use of artificial control systems, hopefully the financial banks agile and helps them respond intelligence and machine learning, crises of the past can be prevented in to changes more quickly. They can many uncommon threats can be the future. transform both from a cost perspective detected and reported in real time. and a revenue perspective as this While the financial services industry increases their capacity to take higher still has a long way to go, a new orders. Control systems should not

References 1 “Stung by Big Fines, Big Banks Beef Up Money-Laundering Controls,” Bloomberg, April 4, 2019, https://www.bloomberg.com/ news/articles/2019-04-04/global-banks-beef-up-money-laundering-controls-as-fines-sting 2. “World’s Biggest Banks Fined $321 Billion Since Financial Crisis,” Bloomberg, March 2, 2017, https://www.bloomberg.com/ news/articles/2017-03-02/world-s-biggest-banks-fined-321-billion-since-financial-crisis 3. “Barings collapse at 20: How broke the bank,” , February 24, 2015, https://www. theguardian.com/business/from-the-archive-blog/2015/feb/24/nick-leeson-barings-bank-1995-20-archive 4. “The Human Touch in AI-Aided Trading,” Infosys Knowledge Institute, June 2019, https://www.infosys.com/about/ knowledge-institute/insights/ai-aided-trading.html 5. “EU fines , Citi, JP Morgan, MUFG and RBS $1.2 bln for FX rigging,” Reuters, May 16, 2019, https://in.reuters.com/ article/eu-antitrust-banks/eu-fines-barclays-citi-jp-morgan-mufg-and-rbs-1-2-bln-for-fx-rigging-idINKCN1SM16B 6. “Understanding the Libor Scandal,” Council on Foreign Relations, October 12, 2016, https://www.cfr.org/backgrounder/ understanding-libor-scandal 7. “Money-Laundering and Globalization,” United Nations Office on Drugs and Crime (UNODC), https://www.unodc.org/unodc/ en/money-laundering/globalization.html

Authors Dr. Ashok Hegde Aliya Patricia Rebello Vice President – Financial Services, Domain Consulting Group Senior Consultant – Financial Services, Domain Consulting Group [email protected] [email protected]

Samad Masood Sharan Bathija Infosys Knowledge Institute Infosys Knowledge Institute [email protected] [email protected]

External Document © 2019 Infosys Limited About Infosys Knowledge Institute The Infosys Knowledge Institute helps industry leaders develop a deeper understanding of business and technology trends through compelling thought leadership. Our researchers and subject matter experts provide a fact base that aids decision making on critical business and technology issues. To view our research, visit Infosys Knowledge Institute at infosys.com/IKI

For more information, contact [email protected]

© 2019 Infosys Limited, Bengaluru, India. All Rights Reserved. Infosys believes the information in this document is accurate as of its publication date; such information is subject to change without notice. Infosys acknowledges the proprietary rights of other companies to the trademarks, product names and such other intellectual property rights mentioned in this document. Except as expressly permitted, neither this documentation nor any part of it may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, printing, photocopying, recording or otherwise, without the prior permission of Infosys Limited and/ or any named intellectual property rights holders under this document.

Infosys.com | NYSE : INFY Stay Connected