Bates Research | 10-09-24
Crafting an Enterprise Risk Management Program for MSBs – Part 2
As MSBs and Fintechs get larger and more complex, they may find examiners, auditors, and bank partners asking about their ERM (enterprise risk management) Program. In Part 1, we introduced the art and science of ERM and walked readers through the value of a Risk Assessment and Risk Appetite.
In Part 2, we’ll get more granular and address the role data, analytics, and quality monthly[1] reporting procedures play in terms of providing management with decision-supporting information across the two important areas of an ERM Program – specifically, the Risk Assessment and Monitoring. When a Fintech Risk/Compliance Officer considers Enterprise Risk Management, especially in the areas of Risk Assessment and Monitoring, the importance of having good data, robust analytics, and well-developed monthly reporting procedures will become apparent. We’ll discuss all three below, and where pertinent, we’ll also address a current topic in the Fintech industry, which is the reconciliation of customer account balances in pooled “for benefit of” accounts at partner banks.
We’ll end by discussing the “so what” factor, since many newer Risk/Compliance Officers can probably recall being asked “so what does all this mean?” after delivering a metrics-filled ERM report to executives or Board members. Good ERM reporting is about making the information meaningful and actionable, and a Risk/Compliance Officer has to be able to explain to the organization’s leaders what it all means.
Data
Without quality data there cannot be a quality ERM Program in place. Although Risk/Compliance Officers can still run data analytics against questionable data, the results will be unreliable and not suitable for decision-making.
We’ll discuss how the quality of the organization’s data impacts the risk assessment and monitoring, as follows:
Risk Assessment
As soon as a Fintech Risk/Compliance Officer at an MSB or Fintech submits its Risk Assessment to a bank partner, the first question will likely be about the quality of the data that supports it. That will definitely be an examiner’s first question. It’s a meaningful question because risk can be misstated if the data used in the risk assessment is incorrect in some manner.
Continuous Monitoring
Performing periodic monitoring reviews has little value to an organization if monitoring procedures are being applied to low-quality data. The organization needs quality data to evidence its compliance with laws and regulations during monitoring reviews, for example. Two areas where this can be shown are: 1) Gathering and maintaining complete and accurate CIP and CDD, such that the MSB or Fintech knows the customer it’s working with; and 2) Complying with the proposed rule (expected to be finalized in some version) that individual customer account balances in pooled accounts are also complete, accurate, and reconciled.
Various tasks and functions, such as a data quality control function and data validation function are needed to ensure that data is complete and accurate. This is part of good data governance. And although many larger MSBs and Fintechs perform data quality control internally, most will outsource data validation exercises.
Analytics
Risk/Compliance Officers in all types of institutions are enjoying the heyday of risk analytics, but those in MSBs and Fintechs – with their technology expertise – are nailing it. Data Analytics supports the organization’s monthly reporting to executives, the Board, and bank partners, especially regarding the direction of risk. Bank partners already know how many of the Fintech’s customers they’re currently banking; what they need to know is how many it will be next week, next month, and so on. Where is the trend heading? What is the current level of fraud, and where is that heading? From an AML/CFT perspective, what’s the risk posed by new customers, and does it differ significantly from the risk posed by existing customers? Providing insight into these questions is how Data Analytics shines.
We’ll discuss how data analytics can add value to the risk assessment and monitoring, as follows:
Risk Assessment
Analytics can be useful when conducting the risk assessment in that large data sets can be sliced and diced to provide granular information for the assessment. Analytics can help answer multi-dimensional questions about customers, such as “How many customers have this attribute, that attribute, and also do xyz?” This would be important if those customers have a different risk profile.
Monitoring
Some organizations conduct most of their continuous monitoring via analytics, as opposed to selecting samples and pulling files to review. Imagine the resources saved if a compliance analyst had all the data stratified and organized every month, and could spend their valuable expertise on the analysis of the data? Analytics could assist analysts charged with reconciling Fintech customers’ account balances held in pooled accounts at partner banks. That would be a difficult task to accomplish without analytics.
As noted above, Risk/Compliance Officers in larger MSBs and Fintech have mastered analytics and using analytics to glean meaningful information from the organization’s data. This information is usually conveyed via reporting procedures for the organization’s executives and Board.
Reporting
Monthly reporting helps ensure transparency with executive management, Boards, examiners, and bank partners. It also helps support decision making in the MSB or Fintech. Formalizing reporting on a monthly basis helps provide visibility of operating results to executives and Board members, and this helps them see changes and trends on a timely basis.
We’ll discuss how quality monthly reporting can add value to the risk assessment and monitoring, as follows:
Risk Assessment
Monthly reporting can help the Risk/Compliance Officer understand the risk landscape, and because of this, Risk/Compliance Officer conducting the risk assessment will want to review Board and Executive-level reports (and evidence the review) for the prior 24 months to gain information for the assessment. In organizations where reporting is in its infancy, that should be sited as a risk.
Monitoring
Monthly reporting to executives and the Board can provide insight needed for the monitoring program. It can help define the nature and scope of the monitoring reviews, and help provide context to the results the analyst is seeing in the monitoring. Conversely, the results of monitoring should be included in monthly reporting. For monitoring and reporting, it’s a symbiotic relationship.
The importance of reporting can’t be overstated. Monitoring a limit or balance, such as customers’ balances in a pooled account at a partner bank, might not be meaningful to an organization if the results aren’t reported.
So What?
The most important part of the use of data, analytics, and reporting is the “so what” factor? An Enterprise Risk Management Program misses the mark if management doesn’t consider the “so what” which needs to be followed by “what are you going to do about it?” For example:
- So what if the trend in third-parties who have experienced cyber events is increasing?
- So what if fraud losses, after all recovery efforts have been deployed, increased ten-fold in the past year?
- So what if system outages have caused downtime to double over the past quarter?
For all three examples above, it is great that a Risk/Compliance Officer is aware of the above increases, but what matters is what management’s response will be. What will you do about it? What will management’s planned action be?
In Part 1 and Part 2 of this article, we’ve presented macro-level concepts of an ERM Program by discussing the Risk Assessment and Risk Profile statement, followed by the more granular topics of using data, analytics, and reporting to help support the Program. A well-functioning ERM Program will help executives and Board Members make informed decisions in uncertain business environments and should minimize the impact of adverse actions on the organization’s performance.
[1] Monthly reporting is used in the discussions in this article, but reporting could be conducted at other time intervals.
Brandi Reynolds
Chief Growth Officer and Senior Managing Director, Fintech & Banking Compliance