Banking Safely During The Crisis
- A deposit flight caused Silicon Valley Bank and Signature Bank to collapse in March 2023.
- But at the same time, the US banking sector set a record $80 billion in profits in the first quarter of 2023, up 33% from the previous year, because of two-decade-high interest rates.
- On the downside, rapidly rising interest rates exposed cracks in banks that cannot move fast enough and in those that aren’t scrutinized enough.
- End-to-end risk management, involving constant review and testing of all controls, strengthens risk management and ensures residual risk (the risk that remains after risk treatment) is under check.
A looming deposit crisis
In just two days of March 2023, Silicon Valley Bank (SVB) experienced a staggering $142 billion withdrawal – nearly 80% of its total deposits. In the same month, Signature Bank lost 20% of its $83 billion deposits in a single day before finally closing its doors for good.
The flight of deposits from banks didn’t start with SVB and Signature. Outflows from US banks had started nearly a year earlier — deposits had already declined by over $400 billion year-over-year by early February 2023. By August 2023, US commercial banks had lost nearly $1 trillion in deposits since April 2022 (Figure 1).
Figure 1: Deposits have fallen by $1 trillion in a year
Deposits, all commercial banks ($ trillions)
Source: U.S Federal Reserve
Cracks hidden by record profitability
Interest rates remained at record lows for decades. But in 2022, a high interest rate age began, with increases that surprised the industry. On the upside, this drove banking profits higher. The US banking sector hit a record $80 billion in the first quarter of 2023 (Figure 2), up 33% from a year ago. This happened despite two bank failures. Lenders benefited from higher interest rates, low loan defaults, and an expanding job market.
Figure 2: Banking quarterly profits have risen to all-time highs
Source: U.S Federal Reserve
On the downside, it exposes cracks in banks that cannot move fast and in those that aren’t scrutinized enough. Now that the US Federal Reserve and the Bank of England have pushed rates to levels not seen since the 2008 financial crisis, bank executives realize the heightened need to manage risks more carefully.
Move from sampling to continuous testing of risks
The sudden economic shakedown has tested financial institutions’ risk practices and models. The banking crisis reveals the need to reconfigure risk management, and managing interest rate risks is more complicated than earlier thought. Jamie Dimon, head of JP Morgan, cautioned that it will get worse for banks — more regulations, more rules, and more requirements, making it more difficult for banks to function. His comments come in the backdrop of midsize banks tightening underwriting standards on business loans due to heightened concerns over liquidity and funding costs. Outdated risk models lose their effectiveness as they fall behind in technological advancements. Wells Fargo recently paid $98 million due to inadequate compliance oversight that allowed the bank to process transactions for sanctioned individuals or jurisdictions.
The collapses of SVB and Signature Bank emphasize the necessity of operational risk management and risk control measures. Earlier, banks used sampled to test controls. Now, there’s a genuine need for real-time risk management frameworks that are put to the test round the clock. While building a comprehensive and holistic infrastructure for informed decision-making is challenging, the payoff is immense.
End-to-end risk management, involving constant review and testing of all controls, strengthens risk management and ensures residual risk (the risk that remains after risk treatment) is under check. It equips banks to detect deposit flight early, proactively retain customers, and adapt to market changes swiftly. This ensures financial stability and customer trust.
Continuous monitoring also facilitates real-time analysis of customer transactions and behaviors. By tracking patterns and anomalies in deposit behavior – such as sudden and large withdrawals by a particular customer – banks identify signs of potential deposit flight quickly and trigger timely alerts.
This approach allows banks to segment their customer base by risk factors, providing granular insights and preventing overexposure to any specific segment or industry. Banks can then focus retention efforts on high-risk segments and tailor strategies accordingly. More importantly, it ensures regulatory compliance in deposit stability and liquidity management and mitigates risks of regulatory penalties or sanctions.
Risk control testing with zero-trust
Continuous risk testing, with a shift away from sample testing, brings efficiency through automation across banking functions, operations, and infrastructure. Zero-trust automation, powered by artificial intelligence (AI) and machine learning (ML), assesses and mitigates risks within a bank’s systems and processes. It operates on the principle that no entity, inside or outside the organization, is trusted by default, which necessitates 100% testing of all risk controls.
Figure 3: Life cycle of continuous control monitoring
For continuous testing, banks must establish the following processes and technologies.
- Rule development and execution: Define the risk model’s scope to target specific risks and identify potential scope expansion areas. Then, integrate data from disparate sources in a centralized data warehouse. Develop rules and algorithms based on statistical models, L algorithms, or business rules. This step often requires a multidisciplinary team of data engineers, data scientists, domain experts, and IT professionals. Financial institutions must use analytical models to assess all types of strategic, financial, and operational risks – and respond accordingly.
- Rule exception generation: Effective governance, risk management, and compliance (GRC) within an institution require a centralized repository for control rules and exception logs. This phase entails rule definition, configuration, and exception handling.
- Automated key indicator tracker: Identify and define key measurable indicators relevant to the bank’s risk and compliance objectives. Integrate these indicators to data sources via APIs or ETL (extract, transform, load) processes for their auto retrieval in real time. Set breach alerts along with escalation procedures.
- Automated case creation: Establish a transparent channel for reporting cases. Automate the investigation process within the GRC system by incorporating automated alerts to relevant stakeholders. Define an escalation matrix for cases requiring immediate attention or higher-level approval. Implement a dashboard and reporting module to track case status and progress, reducing oversight lapses.
- Case investigation: When a case is created, assign a user investigator to assess whether the reported incident is a true positive (a genuine issue) or a false positive (an incident that does not pose a significant risk or is a result of a system or rule error). Integrate the feedback on false positive cases into the bank’s control rules and monitor configurations. Analyze data to identify recurring incident types and assess whether control rules require further adjustment or additional controls. Ensure corrective actions to prevent future occurrence.
- Control review: When a positive case is identified, initiate a root cause analysis. Assemble a cross-functional investigation team that includes subject matter experts, control owners, compliance officers, and risk analysts to thoroughly analyze the positive case. Develop a plan for control improvement that strengthens existing controls, revisits control procedures, and implements new controls. Continuously monitor the effectiveness of controls through ongoing assessments. This ensures sustainable improvements. Conduct regular control reviews that encompass all controls at regular intervals.
- Internal and external audit focus: Auditors use controls to validate risks. Collect data from transaction and processes that supports audit requirements continuously and automate the audit plan, moving away from a static approach. These enable auditors to identify missing pieces of information quickly and accurately. As controls are automated, audit teams become more efficient in identifying important evidence. For example, in SVB's SEC filings, they are required to disclose market risk, including interest rate risk, as outlined in section 7A. Despite consistently reporting the impact of interest rate changes on net interest income and economic value of equity until 2021, SVB omitted the latter in their 2022 filing. Unexpectedly, this oversight concerning equity sensitivity went unnoticed by the audit committee and was approved by external auditors.
Continuous control monitoring depends on a tech stack: cloud platforms for scalability, RPA for workflow automation, and AI/ML to identify anomalies and potential risks. Ultimately, it's about how banks use technologies to boost efficiency, fortify risk management, and foresee future risks.