Digitalisation can create new vulnerabilities, amplify risk

Digital banking

Penang, 23 May (Kanaga Raja) — While the digitalisation of finance can benefit both banks and their customers, it can also create new vulnerabilities and amplify existing risks to banks, their customers and financial stability, according to the Basel Committee on Banking Supervision.

In a report on the implications of the digitalisation of finance for banks and supervision, the Basel Committee said that these vulnerabilities and risks include greater challenges by banks to adapt their business strategies (“strategic risk”) to an increasingly digital environment, potentially heightened reputational risk to banks, a larger scope of factors that could test banks’ operational resilience and operational risk, and challenges to banks’ data governance.

It said there are also system-wide risks that could result from the ongoing digitalisation of banking, including greater interconnection nodes across financial firms, a heightened degree of contagion in times of stress and the amplification of pro-cyclical behaviour (e.g. fire sales).

The Basel Committee underlined that advances in digitalisation should not diminish the role of human judgment in risk management and supervision.

The report said that digitalisation raises regulatory and supervisory implications for both banks and supervisors.

These include: monitoring evolving risks and adopting a responsible approach to innovation; safeguarding data and implementing robust risk management processes; and securing the necessary resources, staff and capabilities to assess and mitigate risks from new technologies and business models.

The latest report by the Basel Committee builds on an earlier report it published in 2018 and takes stock of recent developments in the digitalisation of finance.

The report reviewed some of the key technologies across various aspects of the banking value chain, including the use by banks of application programming interfaces (API), artificial intelligence (AI) and machine learning (ML), distributed ledger technology (DLT) and cloud computing.

Such technologies are being used by a wide range of banks, albeit with varying degrees of intensity and scope, it said.

For example, it said despite the growing interest around AI/ML, most banks appear to be using such technology cautiously at this stage, especially for customer-facing services and for revenue generation.

In contrast, the Basel Committee said there has been a significant increase in the number of banks using cloud computing services in recent years, with this trend expected to continue.

The report also considered the role of new technologically enabled suppliers (e.g. big techs, fintechs and third-party service providers) and business models.

It said innovative technologies have facilitated the entry of new digital-only participants (“neobanks”), fintechs and larger technology companies (“big techs”) into the provision of banking and financial services.

It said these firms often have an advantage in data and technology relative to traditional banks (e.g. digitally native platforms without legacy IT systems), and may not be subject to prudential regulation or supervision.

Advances in digitalisation and financial technology (“fintech”) continue to affect the landscape of the financial system, including the provision of banking services, said the report.

It said that technological developments are disrupting the financial system through three broad channels: (i) an expansion in the set of financial services and products, as well as the distribution channels through which they are offered; (ii) the arrival of new technological suppliers of these services (e.g. big techs, fintechs and third-party service providers); and (iii) the increasing use of digital innovations for managing, mitigating and overseeing risks.

Since 2018, the digitalisation of finance has continued to accelerate across a number of fronts, said the report.

Investments in fintech companies between 2019 and 2023 totalled $865 billion – more than twice the amount invested between 2013 and 2018.

Big techs, fintech firms, non-bank financial institutions and service providers are collectively playing growing roles in the provision of financial services, with increasing chains of interconnections, said the report.

“Developments in artificial intelligence and machine learning, cloud computing, distributed ledger technology, decentralised finance and various forms of cryptoassets have all raised important questions about their potential impact on banks, banking and supervision,” the Basel Committee pointed out.

POTENTIAL RISKS & VULNERABILITIES

Analysing the different applications of innovative technologies and their potential benefits, the report said that for the banks, many of the opportunities afforded by new technologies relate to innovation, efficiency gains and enhanced risk management capabilities.

For consumers, digitalisation holds the promise of expanding access to financial services (i.e improving financial inclusion), reducing transaction costs, improving customer experiences and increasing competition.

While digitalisation can benefit both banks and their customers, it can also create new vulnerabilities and amplify existing risks to banks, their customers and financial stability, said the report.

Banks may face challenges in adopting strategies needed to remain competitive and profitable in an increasingly digital environment, it added.

Increased competition from non-bank competitors (e.g. fintechs and big techs) that offer financial services bundled with other services, together with open banking/finance regimes that facilitate portability and induce switching, may reduce banks’ market share and revenues, and erode bank profitability, said the report.

In response, banks may seek to either develop their own technological capabilities, partner with new entrants to increase their digital offerings or otherwise look to diversify their revenues (e.g. through strategic partnerships with non-financial services firms such as e-commerce platforms).

These strategies may, in turn, exacerbate certain risks, the report emphasized.

It stressed that large-scale digital transformation projects carry both strategic and operational risks.

“While many banks have been increasing their technological capabilities, efforts have been impeded by problems with legacy infrastructure and a lack of staff expertise.”

In this regard, the report said that smaller banks may be particularly vulnerable as they generally lack both the financial and technical resources to improve their digital capabilities.

“An inability to improve digital capabilities could put banks at a competitive disadvantage relative to more nimble, digitally native entrants.”

It said bank partnerships with non-banks or other technology-focused firms may also give rise to strategic risks.

Dependencies on non-bank entities for the origination of business could leave banks vulnerable to loss of control over volumes, product design and origination processes, while remaining accountable for risks, it added.

In certain arrangements, banks may lose ownership of the customer relationship and thereby risk the possibility of non-bank partners taking their customer base elsewhere, which would result in a sudden loss of business for the bank with potentially significant implications for the bank’s liquidity and financial performance, it said.

“Bank partnerships may also give rise to narrow banking models in which banks provide only a limited set of services (e.g. deposits or payments) to non-banks.”

The report said this lack of diversification could create business model and balance sheet vulnerabilities, such as an over-reliance on fee income.

Banks’ use of certain technologies and partnerships with non-banks or other interactions with third parties may also lead to heightened reputational risk, it pointed out.

“Reputational risk may arise from operational failures, or failures to comply with relevant laws and regulations, and can be particularly damaging for banks as the nature of their business requires maintaining the confidence of depositors, creditors and other market participants.”

Banks may face reputational risk where they rely on certain models or automated processes, said the report.

For example, the use of complex AI/ML models and their lack of transparency, may increase the risk of unfair or discriminatory outputs which could lead to considerable adverse publicity as well as regulatory penalties.

It said in BaaS (banking as a service) arrangements or other interactions with third parties, issues with non-bank partners or service providers could affect the bank’s business or operations, and its reputation among consumers, investors and professional service providers.

“This could potentially limit a bank’s ability to, for example, obtain liquidity or professional services from external parties.”

The report said even where liability is clearly assigned between a bank and third parties, banks may still face considerable reputational risk in the event of customer grievances, e.g. when customer data are compromised as banks are often viewed as the custodians of customers’ data.

In response to reputational risks, banks may also face “step-in” type risks, it added.

For example, a bank may feel obliged to act to maintain continuity of service and/or to protect the values of end- users’ assets in cases of financial distress with non-bank partners.

Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events (including legal risk, but excluding strategic and reputational risk).

According to the Basel Committee, operational risks can manifest in a variety of different ways.

The report said that digitalisation-related developments share certain common features that introduce additional complexity in the delivery of banking services, and that could exacerbate or amplify operational risks, including model risk, technology risk, cyber risk, legal uncertainty, compliance risk, fraud-related risks, and third-party risk.

For example, the report said that the use of AI/ML gives rise to potential model risks. While these may present similarly to other analytical methods, they may also amplify (or introduce novel) risks depending on the specific use case.

AI/ML approaches also have the potential to be “overfit” – that is, they hew too closely to the data on which they were trained and may not generalise to other conditions or circumstances.

The use of AI/ML can also reflect biases and inaccuracies in the data they are trained on, and potentially result in unethical outcomes, said the report.

It also said that banks’ legacy IT systems may not be sufficiently adaptable, or implementation practices, such as IT change management, may be inadequate to support the use of new technologies.

The integration of new technology with legacy systems can also add additional layers of complexity, it added.

Furthermore, the report said new technologies and new business arrangements can increase cyber risks if controls do not keep pace with change.

Bank systems have multiple points of contact with outside parties, which provide potential interfaces and entry points for cyber attacks, it noted.

The report also said a heavier reliance on APIs, cloud computing and other new technologies which facilitate increased inter-connectivity with actors or sectors not subject to equivalent regulatory expectations, could make the banking system more vulnerable to cyber threats.

Digitalisation can also facilitate new types of fraud, with fraudsters deploying more sophisticated techniques to target bank customers, said the Basel Committee.

It said that this can include, for example, the use of deepfakes (a type of synthetic media technology that uses AI to manipulate or generate visual and audio content that appears real) to commit account takeovers, loan fraud or wire fraud.

“More generally, operational risks may be exacerbated by poor governance and risk management practices.”

Risks could be heightened where banks’ governance frameworks are not modified to adapt to new technologies; there is inappropriate accountability and responsibility; a lack of technological literacy, including the inability to attract, build and retain talent; poor oversight of data governance; and use of systems and applications developed by third parties, said the report.

Effective management of operational risks is important to minimise potential operational disruptions and their impact on banks’ operational resilience, it added.

The report also drew attention to data issues and related risks.

Many new technologies and applications are data intensive and leverage new data sources – or existing data in new ways – which may exacerbate banks’ data governance challenges, it said.

“In particular, the volume, velocity, variety, quality and integrity of data may heighten data governance risks.”

Alternative data generally means non-traditional data or data not typically used to date by banks, it noted.

For example, it can include utilities billing and payment information, as well as images, audio, video and social media information.

Alternative data raise specific risks and challenges for banks’ data governance, including use of data without a long history (and whether they will continue to be predictive and explainable though the life-cycle of the data or with changing conditions); issues with privacy and consent (especially obtaining customer consent upfront); and potential bias within the data, said the report.

The use of alternative data in combination with AI/ML applications may also exacerbate bias and explainability concerns, it added.

In addition, the use of new data sources or techniques may also present challenges in integrating these processes with legacy risk management processes.

For example, the report said the use of new data to underwrite credit products may be challenging to integrate with existing credit loss modelling when assessing the adequacy of allowances for credit losses.

“Increased inter-connectivity and the sharing of data between banks and third parties creates potential challenges for data security and protection, and may introduce additional vulnerabilities as different parties access a bank’s data. This may increase the possibility of data breaches and result in a larger surface area for cyber attacks.”

The report said that new partnerships with non-banks may also present unique and potentially complex risks surrounding data ownership and accessibility.

For example, it said in some jurisdictions the end user in a bank-fintech arrangement may also be a customer of the bank, necessitating the bank’s collection of certain information on the arrangement’s end users to understand its own compliance obligations and risks even in instances where the bank does not have a direct relationship with the fintech’s end users.

It said that some fintechs may differentiate between types of data, such as data about a customer and data about the customer’s account, viewing some of it as proprietary and unnecessary to share with a bank that it views as a service provider.

This may, in turn, inhibit the bank’s ability to fulfil its regulatory requirements (e.g. account and transaction monitoring for anti-money laundering and combating the financing of terrorism), it added.

The Basel Committee said new technologies, applications and the entry of new suppliers into financial services may also give rise to broader banking system and financial stability risks, particularly where activities may scale rapidly.

These could include: increased interconnections; regulatory arbitrage; contagion; amplification of financial risks; fragmentation risks; and concentration risks.

For instance, the Basel Committee said that the use of innovative technologies typically leads to greater inter-connectivity and more interdependencies between market players (i.e. banks, fintechs and technology firms) and market infrastructures.

It said this adds complexity and opacity, which can make it more difficult for supervisors to identify, assess and respond to risks.

Moreover, the complexity of these networks and chains of interconnection are yet to be tested in an economic downturn, the report pointed out.

It also cautioned that technological advances increasing the speed with which financial transactions can occur, coupled with the real-time transmission of information through digital channels, may increase the speed with which contagion may spread across institutions or markets.

The emergence of multiple forms of digital money (including tokenised money), may also increase the risk of contagion to bank deposits, it added.

Digitalisation-related developments may also amplify more “traditional” financial risks, said the report, adding that liquidity risks could be affected in various ways.

For example, liquidity stress may become more acute due to the speed at which deposits can be withdrawn; the use of tokenised assets could increase intra-day liquidity needs; and fintechs’ reliance on banks to hold reserves or maintain operating accounts could precipitate liquidity and/or other stress on the bank’s financial condition if the fintech were to fail or to leave suddenly.

The use of automated models may also encourage and amplify pro-cyclical behaviours, the report said.

RISK MANAGEMENT

The Basel Committee noted that banks are implementing various strategies and practices to mitigate the risks.

The report pointed out that effective governance structures and risk management processes are fundamental to identifying, monitoring and mitigating risks associated with the digitalisation of finance.

Banks may also mitigate specific digitalisation-related risks – such as those stemming from API or AI/ML models by enhancing controls and pursuing an “across the bank” human-centric approach to overseeing the use of such technologies, it said.

Similarly, the report noted that banks manage data-related risks through robust governance arrangements and enhanced security protocols.

Banks may also reinforce their due diligence and operational risk management to mitigate the risks stemming from their reliance on third-party service providers, it said.

In practice, the Basel Committee said many of these risk mitigants are still evolving and have not yet been tested through different phases of the business cycle or periods of stress.

Regulations and supervisory frameworks have also evolved in response to the digitalisation of finance, it added.

For example, it said some jurisdictions have expanded the scope of the regulatory perimeter in their legislative frameworks.

Most authorities also require new banking applications to follow the same framework applied to “traditional” bank entrants, with a few jurisdictions applying a distinct process for digital-only banks.

Many jurisdictions have also issued specific supervisory guidance related to different aspects of the digitalisation of banking (e.g. on model risk management and cloud computing).

Supervisors are also reviewing and adjusting their approaches and tools to mitigate the risks from digitalisation while also harnessing their benefits in a responsible manner, said the Basel Committee.

The report also outlined the regulatory and supervisory implications for both banks and banking supervisors.

It said that at a macro-structural level, supervisors should continue to monitor – and it is important for banks to mitigate – the risks stemming from the evolving nature of banking as a result of technological innovations.

“The adoption of innovative technologies and business models should be guided by a principle of responsible innovation.”

It said it is important for supervisors to strike the right balance between enabling responsible innovation while also safeguarding the safety and soundness of the banking system and financial stability.

The report said as a result of the increasingly blurred lines between banks and the provision of banking services, integrating the principle of “same risk, same activity, same regulation” in regulatory and legal frameworks may help avoid regulatory arbitrage.

Highlighting the implications of specific digitalisation themes, the report recognises data as a critical resource, which necessitates a commensurate level of safeguards.

The use of service providers should be subject to robust risk management practices and processes in a risk-based and proportionate manner, it said.

More generally, advances in digitalisation should not diminish the role of human judgment in risk management and supervision, the Basel Committee underlined.

The report also highlights the implications of digitalisation for capacity-building and coordination.

It said that it is important for both banks and supervisors to have sufficient resources and staff with the necessary capabilities, knowledge and skills to assess and mitigate risks from new technologies and business models.

“Digitalisation raises issues that go beyond the scope of prudential supervision. Accordingly, communication and coordination among bank supervisors and other relevant authorities, within and across jurisdictions, is important to address these considerations,” it concluded. – Third World Network