By Christopher Delporte
Risk management doesn’t always mean defending the bank from outside forces. Just like in horror movies, it can get a lot scarier when the threat comes from inside the house. Even the best-intentioned employees can do or say something that could put their company in a difficult position, and the intense and ever-changing COVID environment made that risk even more acute, experts say.
Speaking at the ABA Risk 2021 virtual event earlier this year, Spinnaker Consulting Group’s Cara Williams, CERP, CRCM, cites a recent study on insider threats conducted by IBM in 2020 across a variety of industries, including financial services, that found that insider threats primarily occur due to one of the following: a negligent or inadvertent employee or contractor, a criminal or a malicious insider, or a credential theft. The study also found that most incidents were caused by insider negligence. More than 63 percent of the incidents reported were due to negligent or inadvertent employees or contractors, and 23 percent were caused by criminal or malicious insiders.
According to Thomson Reuters, the number of financial services firms that have a working definition of “conduct risk” has tripled. Notes Williams: “I have personally seen a wide array of taxonomies, whether it be a level two of operational risk or a level two of compliance risk, around conduct risk.” The Thomson Reuters survey also found that consistent components of conduct risk management programs focus on culture, ethics, integrity, corporate governance, tone from the top and conflict of interest. A quarter of the institutions surveyed reported using software to manage and report on conduct risk.
“A lot of times conduct risk can be due to negligence, not malicious activity—just somebody doing something because they didn’t know any better,” Williams says. Unique or high-pressure situations can cause people to improvise when procedures and best practices are new or rarely followed due to infrequent or nascent need, which, of course, poses risk.
Jo Ann Stall, CRCM, chief compliance officer at BOK Financial in Tulsa, Oklahoma, says after pandemic lockdowns and “abrupt transition” for many to a work-from-home environment, conduct and insider risk issues were front and center. National programs such as the CARES Act and the Paycheck Protection Program added to the complexity of managing the situation, Stall says.
“There was a lot of confusion across the mortgage industry for sure due to the pace, content and communication on the details of forbearance and credit reporting,” she says. “Additionally, the various investors and agencies were issuing their guidance at different times throughout the first couple of months. All of that contributed to the chaos for a while. You’re trying to figure out how to do all those processes remotely or by appointment. Getting that all done was very challenging.”
In a remote environment, Stall says, most people will find a way to get the job done efficiently and on time, while others “will find it very difficult to understand or follow” the correct processes.
“In those cases, it’s important to have prompt and decisive employee management,” she explains. “That way, if it’s a case of a relationship banker opening accounts without the proper documents, a loan officer not following the social media rules, or an underlying manager making exceptions outside their authority, it can be handled quickly to reduce risk to other staff and customers.”
Sajan Gautam, CISO at Arkansas-based Arvest Bank, says getting employees used to working in a home environment was a priority. “We had to implement a lot of new technologies that would enable people to work from anywhere remotely,” Gautam says, adding that one of the biggest lessons his organization learned was how quickly they could get projects completed. Now, Gautam says, Arvest is looking at how to sustain the productivity and speed they harnessed during the rush of pandemic preparedness to roll out solutions.
Among the steps BOK Financial took to fortify its risk management culture included additional monitoring activities and human resources support for managers and employees, with “clear and frequent” communication as the most critical action, particularly from leadership, Stall says. “The whole bank has benefited from town hall meetings where all employees can hear from and pose questions to executive management.”
The bank’s chief risk officer has posted video communications providing guidance. and management “set the tone very clearly and early that even in a pandemic we will maintain our disciplined approach, and I think that’s been key to our ongoing risk management focus,” Stall says. She cautions, however, that in a newly decentralized remote working environment, there will be employees who do not follow policy and process discipline. “Evaluating risk and how risk metrics change in a remote work environment is key,” she adds.
Stall also urges banks to monitor their whistleblower process so that it “stays robust,” with information collected and acted upon quickly, so that “everyone feels comfortable and knows how to report anything out of the ordinary.”
Gautam says banks that don’t already have a formal insider threat program need to get started immediately.
“There are a lot of technologies out there that do behavior analytics, and that help to identify the suspicious behavior even when working remotely,” he says. “Of course, that brings a lot of log management challenges because you are keeping a lot of logs, a lot of analysis. But that is where some of the emerging technologies on machine language and machine learning can help.”
Remote identity verification is yet another challenge banks continue to face, according to Gautam.
“In my opinion, the challenge is not the technology,” he says. “It is more about the process and the procedural challenges because even when the technology is available, a lot of our banking processes are reliant on somebody—the paper-based [tasks], somebody manually verifying the information. I think we needed to step back and rethink how we can bring digitization to the financial industry.”
Remotely securing delivery of documents and recording signatures was an internal risk red flag for BOK, Stall says. An electronic signature and document delivery process was underway prior to COVID and a “huge effort” was made to pick up the pace once the pandemic forced everyone to work from home.
“While it’s not likely in today’s environment that you’ve got employees that are signing documents and putting loans in the system that the client had no idea about, but in certain instances you could have a client who says, ‘I don’t want to come in.’” Stall says. “You have an employee that thinks they’re helping and says, ‘Okay, well, we’ll just cut and paste,’ or ‘We’ll electronically sign,’ or ‘We’ll try to figure out a way.’ They think they’re being helpful when, in reality, it’s a bank risk.”
Stall suggests conducting extra review and process walkthroughs to make sure everyone is clear on processes and then have monitoring in place to make sure it’s being done correctly.
“This underscores the importance of written procedures and job aids for team members and oversight by management, including increased call monitoring and complaint reviews,” she says. “I’m pretty confident every financial institution in the country picked up their complaint monitoring process … because a lot of times, in this environment, it was one of the first ways we would find that there was an issue.”
Stall says that creating systems for the PPP loan process in a remote environment was an all-hands-on-deck effort, using talent from all parts of the organization. And, as such, it created new conduct risk opportunities.
“Our talent and organizational development team was instrumental,” Stall says. Compliance officers helped with getting processes up and running, along with providing advice and walking through procedures. “[They] moved over for a while to help with the process, and it allowed us to see it all in action,” Stall explains. “It really gave us an opportunity to see the pain points, to know where to look, to know what monitoring to do. It was just an amazingly collaborative process.”
At the same time, there was an unprecedented jump in mortgage volumes due to lower interest rates. And that situation placed a lot of stress on underwriting teams and loan officers, Stall says. “It was a big lift for them, and this is where monitoring metrics were key in identifying the stress points that may need additional attention.”
Where before there was essentially no issue or something that might show up quarterly, now there was volume that put some pressure on those processes and could cause a situation, Stall says.
“As a result, you would change your monitoring cadence in certain situations, and we did that in quite a few situations,” she says. “Knowing what your data and your complaints say about your COVID accommodations, your PPP loan and forbearance activity is key. You need to monitor your outcomes, know if there are banking issues that need to be addressed, know what your customers are saying in complaints and investigate any potential issues.”
As we emerge into the post-COVID recovery, risk experts attempt to stay ahead of what’s next and build on the important lessons learned and the infrastructure created to support their firms’ pandemic response.
“Learning from the pandemic, we may have to rethink if we ever want to have all of our associates in the office,” Gautam says. “We learned they may be more productive and work better when working remotely.”
But it goes beyond just deciding if folks are in the office or out, he says. Certain business models have improved because of COVID response and that means opportunity and new risk awareness. “Do we really need to have somebody in person to sign or can we strengthen our e-verify, e-sign, all of the above? This is a time that we can rethink how we can digitize our whole financial institution, the financial industry itself.”
For Stall, top of mind for the return to “normal” is making sure that any control or monitoring changes that were put in place during the pandemic are still necessary and working as intended.
“We don’t want to turn anything off until we know if everyone’s returning to the office,” she cautions. “We want to make sure that we know who’s coming back and when so we can determine and keep the cadence that we need until we know that the risk has gone back to our pre-pandemic, if it does. Who knows?”
Christopher Delporte is a senior editor at the ABA Banking Journal.