How to make the financial system resilient in the new age of risk and COVID-19

After boosting capital and liquidity, financial institutions (FIs) must now contend with the many nonfinancial risks arising around the globe.

More than 10 years after the global crisis large institutions have shored up capital and liquidity, new rules have been implemented and supervision has tightened. Now, with the spread of COVID-19, we may be on brink of an unpredicted global economic crisis, with business and operating models, and the environment in which FIs operate, changing  once again.  FI’s now have to contend with the new threat and risks of COVID-19, while maintaining focus on operational and financial resiliency. 

The five key themes that emerged during our latest 2019 Financial Services Leadership Summit are still relevant in today’s time of crisis. 

• The post-crisis regulatory regime may soon be tested
• Cyber and technology risks are testing systemic resilience
• The need to build sustainable, responsible financial institutions
• Traditional business models face disruption
• Risk governance is evolving in a changing risk landscape

Theme #1: The post-crisis regulatory regime may soon be tested 

Summit participants expressed confidence that the regulatory reforms of the last decade have addressed some of the most critical sources of financial risk to the system. They worry, however, that complacency may set in, given the period of relative calm and macroeconomic growth since the global financial crisis. They also worry that the nature of risks to the system are changing in ways that will make it difficult for regulators to respond effectively. 

In a recent speech, Wayne Byres, chairman of the Australian Prudential Regulation Authority and former secretary of the Basel Committee on Banking Supervision, said, “The current regulatory framework is not designed for clouds, ecosystems or partnership models. Not only do we need new skills, additional resources and stronger partnerships, but potentially new powers to ensure that as critical functions and data move outside the regulatory perimeter, we are able to satisfy ourselves that the requisite level of safety and control remain in place."¹

Participants agreed that large financial institutions are now better equipped to weather a financial shock, but they cautioned that reforms have largely gone untested—and now the prospect of a downturn looms in many economies. Meanwhile, the low (or negative) interest-rate environment in several major economies has left monetary policymakers with little room to maneuver. It’s also putting pressure on earnings at incumbent financial institutions already dealing with low growth. 

Other risks lurking in the industry include the rise of shadow banking, which participants said is not well understood or under control. Moreover, new FinTech and InsurTech firms, as well as large technology companies, may also present new sources of risk.

Participants also pondered if organizations such as the Financial Stability Board, the Basel Committee on Banking Supervision, and the International Association of Insurance Supervisors could coordinate a response to a future crisis as effectively as they did a decade ago. Given the current geopolitical environment in which nationalism and regionalism are resurgent, this kind of coordination is difficult to envision, they said.

Theme #2: Cyber and technology risks are testing systemic resilience

Participants discussed emerging sources of nonfinancial risk, including ever-more-sophisticated cyber threats. They also expressed concern that the next financial crisis might stem from operational or technical risks.

Malicious cyber-attacks definitely top the list of worries. Given the increasing sophistication and state-sponsorship of cyber-attacks, many believe that a major attack to disrupt the system is likely: four in five banks now believe that a system-wide industry-level attack or material event is likely within the next five years.² Participants highlighted three dimensions of state-sponsored cyber-attacks: destruction of data and systems; targeting the payments system; and using the financial system as a geopolitical tool. Adding to their concerns is the “highly interconnected and tightly coupled” nature of cyberspace, which means that “disruptions in one area can cascade easily and in unexpected ways.”³

Besides cyber-attacks, participants described broader threats to financial institutions’ resiliency from outages or other disruptions to systems. These could include outages caused by systems upgrades and other operational failures, the potential loss of data integrity, and third-, fourth-, and fifth-party risks arising from partners and vendors. Also, given that just a few large providers dominate the enterprise cloud market, concentration risk is becoming an issue.

The potential for significant disruptions means that financial institutions need a robust response and recovery process in place. To this end, FIs need to collaborate with each other and with regulators and governments to mitigate operational and technical risks in the system. A few examples include: Financial Systemic Analysis and Resilience Center (FSARC), a consortium of large financial services firms designed to “proactively identify, analyze, assess, and coordinate activities to mitigate systemic risk to the US financial system from current and emerging cyber security threats;”⁴ and Sheltered Harbor, which was launched to establish standards for data backups and resiliency planning so that financial institutions can continue providing critical services following a catastrophic event.

Theme #3: The need to build  sustainable, responsible financial institutions

Among sustainability issues, climate change looms especially large. Leaders across the financial sector increasingly recognize climate change as a source of systemic risk. For example, in a survey of insurance actuaries released in October 2019, 22% cited climate change as the top emerging risk.⁵

Climate change risk materializes through two primary channels: physical risk and transition risk. Physical risk refers to the direct impact of a warming climate, including damage from more frequent and catastrophic weather-related events such as floods, wildfires, and droughts, as well as more gradual changes such as rising sea levels. The insurance sector faces several direct effects of physical risk: increased property damage will drive higher claims and higher premiums for policyholders, while failure to adapt risk models to a changing environment could result in severe and unexpected losses. Transition risk stems from efforts—spurred by policy, technological developments, or public opinion—to mitigate climate change and transition to a low-carbon economy. In carbon-intense sectors, these efforts could strand trillions of dollars of assets. 

In light of these risks, supervisors are asking financial institutions to incorporate sustainability into their risk management frameworks in a number of ways: increasing climate-related disclosures; including climate in risk management frameworks and capital regimes; and stress-testing. And, there are several industry-wide initiatives to encourage the integration of sustainability into the operations of financial institutions. The United Nations Environment Programme Finance Initiative has spearheaded the establishment of the Principles for Sustainable Insurance (PSI), and the Principles for Responsible Banking (PRB). To date, over 70 insurers have signed on to the insurance principles, while 130 banks representing US$47t in assets have signed on to the banking principles.⁶

While it’s becoming more common for FIs to divest and exit activities and relationships that don’t adhere to sustainable principles, participants cautioned that such efforts are complicated and require nuanced decision-making. One director described his bank’s decision to cease lending to coal-related projects: “It was a very difficult decision. Ultimately, it made sense for our broad base of constituents, but it was not this clear-cut moral decision some might paint it as. There are a lot of factors.” Some participants advocated efforts to engage with clients to influence decision-making, rather than exiting those relationships. 

Another risk is that as central banks, policymakers, regulators, and supervisors make responding to climate risk a central part of their mandates, priorities can conflict. For example, after insurers began to reduce their exposure to wildfires in California, the Insurance Commissioner of California asked the legislature for power to compel insurers to write insurance in those locales. 

Theme #4: Traditional business models face disruption

Truly systemic disruption is often referred to as the “Uber or Netflix moment”—when a new entrant or entrants, enabled by emerging technologies, completely upends traditional business models in an industry, changing the economics and the competitive dynamics.

This moment has yet to arrive for the financial services industry—at least in developed markets. FinTechs and InsurTechs have positioned themselves as customer-friendly alternatives to incumbents by offering a more streamlined experience and enhanced digital features; meanwhile, incumbents increasingly view these challengers as less an existential threat than as potential partners in their own digital transformations.

The industry, however, may be reaching a tipping point. The potential business model risk is quite real and mounting. Big Tech has already transformed the financial services industry in China, where Ant Financial and Tencent have redefined mobile payments and much of the financial services industry. Western financial firms and their regulators have wondered for some time if similar disruption could occur in their markets.

The threat that tech companies disintermediate financial services firms from their customers is the biggest concern. What’s happened in China is the nightmare scenario for US banks said one executive. “The big Chinese banks are dumb pipes and make money off debt and the float; that’s it. WeChat and Ant Financial own the customer and have all the data from people’s lives and everything they do.”

Facebook’s Libra project is another example of how Big Tech could shake-up financial services. Within a month of Facebook’s announcement of Libra, the US House Committee on Financial Services sent a letter to Facebook calling for a moratorium on the initiative. While participants were skeptical that Facebook’s digital currency project would proceed as planned given the quick political response, Libra has opened a new dialogue around the potential benefits of digital currencies, particularly those backed by fiat currencies.

The Financial Times recently reported, “When Facebook announced its plans for a private digital payment token called Libra in June, its intention was hardly to goad governments into creating a public electronic currency instead. But that may turn out to be just what it has achieved, by injecting political urgency into a technical debate previously confined to the research papers of central banks.”⁷ A sovereign-backed digital currency that challenges the US dollar and achieves mass adoption would represent a fundamental systemic disruption.

Given the potential disruption posed by Big Tech and emerging technologies, financial services firms and regulators are grappling with the appropriate response. Senior leaders are contemplating a range of options that include becoming the disruptor, partnering with start-ups and adopting agile ways of working to adapt quickly to external technological changes.

Theme #5: Risk governance is evolving in a changing risk landscape

Following the financial crisis, supervisors, boards, and management teams focused heavily on enhancing risk management and board oversight. Much of their efforts focused on developing risk appetite frameworks, addressing risk culture, and refining the functioning of board risk committees. 

Since then, the nature of risk has changed: nonfinancial risks, which have always been more challenging to model and embed in risk appetite frameworks, are more prominent. The competitive landscape is now crowded with new entrants and new partnerships and vendor relationships. The exogenous risks resulting from a volatile geopolitical environment and emerging issues like climate risk are increasingly of concern to boards. 

Participants considered whether adequate attention has been paid to these evolving risks, and they reached a number of broad conclusions: boards must remain vigilant under pressure; nonfinancial risks will continue to challenge board oversight; and effective oversight requires substantial time and new sources of expertise. 

More specifically, boards must be vigilant to ensure that standards, such as those around loan covenants and underwriting, remain high even as companies pursue opportunities to improve margins in a low interest-rate environment. Boards also need to look more closely at issues like concentration risk, including across traditional risk silos. 

And given the intense pressure to control costs, boards must be vigilant not to allow cuts that unintentionally create other risks. One participant noted: “Cyber is not going away, so you cannot cut expenses there. AML and related compliance costs are not going away, so you can’t cut back there. And, digital transformation is not going away, so you can't reduce your spending there.”  This dynamic means that firms “need to retain the same level of diligence, but do it smarter,” by leveraging robotics, artificial intelligence, and machine learning to automate and improve processes. 

Participants also discussed specific steps to improve governance of cyber and operational resiliency risks. These included: diligence around basic IT “hygiene;” understanding the institution’s data strategy; ensuring sufficient testing and training; understanding third-party dependencies and potential weak spots; monitoring the rapid spread of (mis)information through social media that creates reputational risks; and improving response planning. 

This new era of risk governance requires boards to commit significant amounts of time and to access new types of expertise. It also means getting the right information to assess financial and nonfinancial risks and to benchmark their companies against peers and understand best practices.

The five themes in this article are based on five Viewpoints from the 2019 Financial Services Leadership Summit held on the 16th and 17th of October in Washington, D.C., and aim to capture the essence of these discussions and associated research.