GRC Perspectives in Financial Services – with Shubhendu Mukherjee
Hello. This is Kevin Donahue, welcoming you to a new edition of Powerful Insights. This is the latest in our series of podcasts on GRC programs and technologies in which we’re obtaining perspectives from Protiviti leaders and subject-matter experts around the world on GRC drivers, innovations and challenges in their markets.
In this episode, I talked with Shubhendu Mukherjee. Shubhendu is a director with our regulatory practice, which is part of our Risk and Compliance solutions. We spoke about some of the GRC programs and innovations happening particularly within the financial services industry. Shubhendu, thanks for joining me today.
I would actually say, depending upon the financial institution – as you said, I’m focusing primarily in the financial institutions and focused on the U.S. I mean, it definitely varies depending upon the size of the bank, of the financial institution. Their priorities may be different, but generally, to come up with a couple of common themes that we see, or I’m seeing right now, one area of big concern or focus is around the data privacy, and if you tag along with that, cyber security in general. There have been some big data breach incidents in the very recent past, like the one that happened earlier this year. Prior to that, we have Equifax and Facebook, where we are now talking about data of consumers being hacked or breached, and it’s impacting millions of people. So that is something that’s a big concern for any financial institution.
There are of course measures that are being taken. At the same time, there are new technologies that specifically I would say – and this is probably one thing that I would probably talk about in that other aspect as well: Compliance officers, if you are looking at GRC more from the compliance lens, may not have a very good understanding of some of the newer technologies, so they feel at times a bit lost. Of course, these are handled by the technology team, which are very, very competent, but breaches are happening, and I don’t think there would be any time where there would be no breaches.
The question is, how do we try to protect that enough? I think related to this aspect is the new regulations, like the GDPR, the Global Data Protection Regulation, which has come out in Europe, and of course U.S. firms, which are global in nature, have to comply with that. At the same time, there is conversation in the U.S. side as well to bring in something which is a little bit stronger so that you can prevent data theft, or at least protect consumer information in a better way.
So, I would say that’s one idea, which is definitely moving some financial institutions to that space, thinking about how to solve this problem. The other one has been there for a while, and this is the idea that I specialize in and focus more on. This is on anti-money laundering and the functions and regulations. I would say the key driver at this stage, if you’re talking about 2019, is probably more around “How do we bring more efficiency and effectiveness in the space?” because there have been several enforcement actions – very large ones – against, I would say, almost all of the top banks, including the big banks in the U.S.
A lot of actions have been taken, a lot of remediation work has been done, but I think at this stage now, the banks are now trying to figure out, “OK, I still need to be effective and compliant with these rules and regulations, which are very, very important for preventing financial crimes in general and to protect the reputation in the market, but how do I do it more efficiently?” So those are the two that I would consider as the key drivers in the space for now.
Generally speaking, in the GRC space, in compliance, risk and regulations, there are various kinds of tools that are being provided or being offered by multiple vendors in the market. I think this is definitely happening in the U.S., and I’ve seen this happen all over the world. What you see right now – and this probably goes back to the earlier point I was making in financial institutions – is trying to make the controls more effective and at the same time make it more efficient. So, there are tools in the digital coalition space which either include automation or involve some kind of a cognitive computing, artificial intelligence – definitely, machine learning is there – and a combination of these so-called technologies are being used by providers to come up with better solutions.
So, if you think of the first challenge or the first driver that I mentioned about data privacy, there are lots of privacy-enhancing tools that are coming out in the market which try to allow sharing of data while protecting the data itself – home or market encryption being one of the examples of the best tools. Of course, not all of these tools are very developed at this stage, but these are being actively talked about and discussed, and vendors are coming up with solutions.
Similarly, there are tools which try to do transaction monitoring, but general monitoring of the activity is customized in a better way. There are tools which are now trying to do digital identification of the customers in a much faster and much effective way, which can actually cut down the cost of customer onboarding anywhere from a few days to maybe less than an hour or even lower than that. I would say there are lots of tools coming out in the market. Related to that is also the challenge of which tool is best fit for the financial institution, and financial institutions are trying to figure that out actively at this stage.
I’ll give you the example of an integrated GRC scenario more from the EML function space. The way we’re seeing this evolve – as I mentioned, there are various tools that are being offered. There are almost a hundred-plus startup companies in the U.S. itself every year that are coming out with solutions to tackle parts of the GRC process. In the EML space, if you think of the EML spectrum to include customer onboarding, transaction monitoring and function screening being the big three components, of course, there are other reporting and regulatory requirements involved in there. There are tools that have come to the market which try to handle, tackle or make each process more efficient.
At the same time, we see financial institutions having a bit of a difficulty in finding to figure out, “How do I combine all these tools or stitch these tools together?” That’s the reason why we have started more of a workflow tool which tries to kind of tackle it more from an end-to-end or more integrated manner, which would say, “OK, I’m providing you a platform and I’m using these digital technologies so that you can do an end-to-end process in one place.” We do see that happening.
Generally speaking, any of the large financial institutions you can imagine, there’s a multiple legacy system that is being put in place. It is not that simple to just integrate or overhaul the entire GRC and come up with an integrated solution. It is being attempted, but at the same time, I would say given that all financial institutions, particularly the mature ones, use various kinds of legacy systems, I would say it will always remain a challenge. We may not see an entirely integrated GRC tool that the larger banks could be using, but there’s definitely an attempt to integrate parts of the process.
Yes, that’s absolutely accurate. I don’t want to tend to just blame the financial institutions for using systems which may be older. There are valid reasons for that as well because a lot of these bigger banks, even the mid-size banks, they have acquired other banks over the years – if we’re talking about legacy systems, not only acquired by the financial institution itself, but either acquired or adopted from other institutions that it has brought into its fold – you are absolutely right. A lot of these systems are very old.
They have of course gone through various processes of transformation, but if you compare it with the brand-new banks, which we are now calling the challenger banks, which are coming up with absolutely fresh data and fresh systems, it’s a big challenge for the more established institutions because now, they have to compete with the ones which can do it from scratch and with an already fresh mind-set and new tools.
That’s a great question Kevin. I’ll use as an example the recent study that we have just completed, and we’re about to publish a paper on that. We looked at, specifically within the GRC umbrella in the KYC, the know-your customer process, for EML. We interviewed 50-plus institutions, including regulators from 14 jurisdictions. The idea was to get a better sense of “How can we transform?” and “How can we take it to the future state or use a far more transformative GRC approach?” The recommendations in that paper are, you can think of it like they are stakeholder groups which need to play a role. What I mean of what the stakeholder groups would be, there are regulators that they have their own responsibility in the space that are financial institutions themselves. Of course, the digital service providers, they also have to play a role.
To answer this question in a nutshell, I would say the regulators need to lead the way. They need to provide a little bit better guidance, and we see this happening in some jurisdictions. Probably more outside the U.S. – and even in the U.S., those we see did come out with a responsible integration framework. It needs to do more particularly for a market like the U.S., where you have multiple regulators. There is a general need that the regulators need to have one voice that allow or foster this culture for innovation and encourage the financial institution to actually start innovating.
Financial institutions themselves are trying to do that. They probably need to do a little bit more in terms of just bringing in a culture for change and the mind-set for innovation. Experiment with some of these solutions that allow this in a more protected environment, but there is definitely need to try out some of these solutions. I would say the digital solutions providers, they need to do a better job in trying to make sure that their solutions are better understood not only by the financial institutions but also by the regulators so that everybody in the ecosystem understands the benefits of using these solutions. There will always be some risks, but at the same time, as long as the mitigating factors are very clearly laid out, I think everybody will be able to gain.
So, yes, it’s almost like the three big players of the stakeholders need to work together, and at the same time, they have their own responsibilities to take care of. I will say that’s the way to get GRC to the future state.