The core of the challenge: Technology risk in a new era of continual change for banks

By John Hintze

More banks are considering changing their core platforms, an undertaking that has traditionally been rare because of the broad consequences across the bank and the potential risks involved. Those discussions are being driven by customers increasingly demanding the speed and convenience of digital services, which present a host of other technology-related risks.

“We’re hearing more and more that banks are considering changing their core system or system provider,” says Beth Knickerbocker, chief innovation officer of the Office of the Comptroller of the Currency. She says that has been driven by the push to provide real-time, digital services, “beyond just a fancy front-end, so now you need different core processes to provide that.”

Knickerbocker provided her insight as part of a panel, including the heads of risk at two banks, that discussed the impact of technology on banks’ risk management at the American Bankers Association’s recent ABA Risk 2022 conference. Stephanie Boryla, the senior director of enterprise risk management at Bentonville, Arkansas-headquartered Arvest bank, with more than $18 billion in assets, says her bank is working through the transition to a real-time core technology, and risk management aims to facilitate the move rather than being the “no group.”

Nevertheless, the transition can seem overwhelming since it involves far more than simply replacing technology in light of the domino effects across the bank, from back-office operations to communications with employees and customers, Boryla adds. Consequently, the bank is looking at its product sets and clients and seeking to prioritize steps in the migration, such as launching new products first on the new core, then onboarding new customers to the new platform while existing customers transition more gradually.

“So as we do the migration, it’s less of a big switch than having to transition a large volume,” Boryla points out.

Joanne Campbell, EVP for enterprise risk management and chief risk officer at $5.5 billion-asset Camden National Bank, says her Maine-headquartered bank uses an office of project management approach to adopt new technology. It brings together executives from across different functions to scope the project and determine the timeframe and necessary resources. While time consuming, there is ever more competitive pressure to speed up implementations.

“We want to make sure we’re helping people to be thoughtful and understand all the controls that are being put I place, and we know how we’re going to mitigate whatever risks we’ll be facing,” she says.

The importance of due diligence

Knickerbocker adds that moving to real-time core technology requires revamping entire processes, and the main providers of that technology are moving in that direction. New providers are also emerging, she says, with some providing modules for different key functions that enable more flexibility in the transition to a real-time environment than having to run new and legacy systems parallel to each other.

Fintech companies, often relatively new firms, are also seeking to partner with banks to provide elements of that core technology. Knickerbocker recommends an interagency guide published in August 2021 about conducting due diligence on technology companies that was geared toward community banks but provides helpful insight for all institutions, as well as the OCC’s frequently asked questions published in March 2020 on managing third-party relationships.

“I can’t emphasize enough the importance of due diligence,” she says, adding one key aspect is whether the technology firm’s culture fits with the bank’s, given many of those firms are relatively young. “Does the fintech understand what a bank is and its responsibilities with respect to regulatory compliance and the huge reputational risk it faces every day? And can it adapt to that?”

Ongoing monitoring of third parties is also critical, since newer technology firms can quickly pivot their businesses, Knickerbocker adds, adding that it’s important to consider exit strategies upfront.

“That will help you as you negotiate the contract, because the bank can put in certain service-level agreements along with exit strategies,” she says.

In banking-as-a-service-type relationships, where the fintech’s front-end faces the customer, the bank must think about what happens should that relationship end, given its regulatory responsibilities in terms of record-keeping and customer treatment that the fintech may overlook, Knickerbocker says.

Developing governance in the era of artificial intelligence

Much of the real-time banking technology available today makes use of evolving technology such as artificial intelligence and machine learning. A significant challenge in today’s tight job market is not only finding the talent to handle the reams of data those technologies produce, but to monitor and review those processes and build controls around them.

Campbell says her team has focused on developing a more formal governance program around the use of data, to ensure the correct controls and documentation are in place. She adds that both the bank’s internal and external auditors are focusing more on the technology space, which was always important but has become increasingly so with the introduction of AI, ML and robotic process automation.

Another issue under discussion, with strategic ramifications, is the ethical use of customers’ data, Boryla says. Banks collect customers’ information including debit and credit card activity, loans and paychecks–data that new technology mines and analyzes—but how should they be using it? And given that data passes through or may be used by third parties, she asks, what safeguards can be put in place?

“We’re consistently looking at third-party risk management,” Boryla says. “We have to ask the challenging questions around where is our data going and who has access to it.”

Alas, bankers are only human. Knickerbocker noted the tendency to seek new technology-driven services to catch up to the pack, but urged bankers to complete the “standard blocking and tackling requirements.” First, understand the prerequisites that must be in place to effectively use the technology and that means thoroughly understanding the data, “warts and all.”

That’s particularly important when using technologies such as AI, which looks for patterns in the data from which it bases decisions.

“The outcome is really driven by how good that data is,” Knickerbocker said. “The old adage ‘Garbage in, garbage out’ is really on steroids when you’re talking about an artificial intelligence system.”

John Hintze is a frequent contributor to the ABA Banking Journal and its digital channel ABA Risk and Compliance.