Federal regulators recently slapped Citigroup, the nation’s third largest bank, with a $400 million fine for its “longstanding failure” to fix problems with its risk management systems. The decision sends a clear message that the entire financial services industry needs to dramatically up its game when it comes to risk management.
The report by the U.S. Office of the Controller of the Currency didn’t pull any punches. It said for several years the bank failed to implement and maintain an enterprisewide risk management and compliance risk management program, internal controls, or a data governance program commensurate with the bank’s size, complexity and risk profile. And blame was laid squarely on the shoulders of senior leadership at Citigroup.
Although Citigroup was aware that federal regulators were breathing down their necks, it’s difficult and very expensive for a large bank to get a handle on the problem. In some cases, the cost of remediation dwarfs the cost of fines, which creates an environment of complacency within executive and risk management teams.
And Citigroup is not alone. Several banks and financial institutions fail to meet risk management requirements, it’s a widespread industry problem.
Breaking it down
A number of factors have come together to make it increasingly difficult for banks to comply with evolving regulations that require them to integrate data sources so they can report a clear risk picture.
Today, now that mobile and remote computing has expanded the risk ecosystem beyond the bank’s four walls, financial companies have to show how risk applies to the entire supply chain. Banks often still rely on legacy mainframes and run outdated software that’s no longer in compliance. Many large banks tend to resist change, which inevitably creates a drag on processes to modernize. While institutions may have solid policies on paper, they often lack the tools to verify those practice and put them into motion.
In many cases, banks just can’t move fast enough. Rolling out technologies one division at a time creates an unbelievable lag in technology and process adoption that can lead to more fines along the way. Here are five steps banks can take to improve overall security and risk management:
Embedding these new tools into the risk management ecosystem can help companies automate and improve processes, alleviating some of the pain associated with regulatory compliance and hopefully avoiding the types of fines that Citigroup was hit with.
Dan Singer, chief executive officer, Digitalware