Five ways banks can avoid hefty fines for poor risk management

Federal regulators recently hit Citigroup with a $400 million fine for its “longstanding failure” to fix problems with its risk management systems. Today’s columnist, Dan Singer of Digitalware, offers security pros five tips for how banks can avoid large fines for poor risk and data management. (CC BY 2.0)

Federal regulators recently slapped Citigroup, the nation’s third largest bank, with a $400 million fine for its “longstanding failure” to fix problems with its risk management systems. The decision sends a clear message that the entire financial services industry needs to dramatically up its game when it comes to risk management.

The report by the U.S. Office of the Controller of the Currency didn’t pull any punches. It said for several years the bank failed to implement and maintain an enterprisewide risk management and compliance risk management program, internal controls, or a data governance program commensurate with the bank’s size, complexity and risk profile. And blame was laid squarely on the shoulders of senior leadership at Citigroup.

Although Citigroup was aware that federal regulators were breathing down their necks, it’s difficult and very expensive for a large bank to get a handle on the problem. In some cases, the cost of remediation dwarfs the cost of fines, which  creates an environment of complacency within executive and risk management teams.

And Citigroup is not alone. Several banks and financial institutions fail to meet risk management requirements, it’s a widespread industry problem.

Breaking it down

A number of factors have come together to make it increasingly difficult for banks to comply with evolving regulations that require them to integrate data sources so they can report a clear risk picture.

Today, now that mobile and remote computing has expanded the risk ecosystem beyond the bank’s four walls, financial companies have to show how risk applies to the entire supply chain. Banks often still rely on legacy mainframes and run outdated software that’s no longer in compliance. Many large banks tend to resist change, which inevitably creates a drag on processes to modernize. While institutions may have solid policies on paper, they often lack the tools to verify those practice and put them into motion.   

In many cases, banks just can’t move fast enough. Rolling out technologies one division at a time creates an unbelievable lag in technology and process adoption that can lead to more fines along the way. Here are five steps banks can take to improve overall security and risk management:

  1. Incentivize the CEO.  The solution starts at the top. The board of directors has to make risk management a top priority and they need to authorize the necessary funding. It helps for boards to tie CEO compensation to regulatory compliance. The board should also require that the CEO develop specific strategic plans and they should demand timely progress reports.
  2. Let the CEO take the lead. Once CEO compensation gets tied to regulatory compliance, everything changes. The CEO then has a clear directive to drive that mandate down the chain of command, and tie raises and promotions of other employees to risk management. The CEO needs to develop that strategic plan and make sure it gets implemented and followed. 
  3. Create a common data source. Communication has to flow among the key players. Risk management teams, auditors, lawyers and the IT teams that are charged with implementing risk management need to be on the same page, using the same data sources. Ultimately, it’s up to the CISO/CSO to develop accurate and comprehensive reports that highlight the organizational risk against the current regulatory landscape to ensure that the true cost of both remediation and fines are assessed by executive management.
  4. Prioritize investment based on risk. There are specific steps that companies can take to improve their risk management posture, starting with the most obvious, acknowledging that the company has a problem and then identifying specific gaps or shortcomings.  A comprehensive risk assessment entails identifying strategic and tactical risks, then measuring the operational impact and business impact of organizational inefficiency. Companies need to prioritize investments based on addressing the most serious risks.
  5. Take advantage of new technology tools. Up until most recently, there simply haven’t been technology tools with the ability to drill down and analyze risk management systems across business units. However, there are new software tools on the market that use machine learning and artificial intelligence to quickly and efficiently uncover problems and offer actionable intelligence so that policies can be enforced across the organization.

Embedding these new tools into the risk management ecosystem can help companies automate and improve processes, alleviating some of the pain associated with regulatory compliance and hopefully avoiding the types of fines that Citigroup was hit with.

Dan Singer, chief executive officer, Digitalware

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.