Credit default swaps, core processing systems and ATM networks would all appear to be different animals in the financial zoo, but Louis Rosenthal says there's some dangerous common ground.
A consultant who's also held senior positions at Bank of America, LaSalle Bank and ABN Amro, Rosenthal says esoteric financial instruments and tech networks both place banks in a position in which institutional credibility is partly reliant on the performance of sometimes-shaky counterparties. He recently discussed threats with BTN at a recent BITS event in Chicago.
BTN: How are outsourcing and offshoring changing?
Rosenthal: In most cases, banks are five-to-six years into their offshoring programs. The benefits of these programs, which were mostly aimed at reducing basic expense, have been baked into the budgets and financial expectations of banks, so there's not a lot of room for more improvement. So it becomes at matter of getting higher quality outcomes from outsourcing and offshoring arrangements. In the future, banks will probably spend more on [outsourcing] internal processing and higher-level functions.
Does this trend change the bank's oversight responsibilities?
Careful supervision of the suppliers and supply chain will be critical. You can discipline and change the performance of people that work for you internally if a task isn't done to specification. But with an outsourced arrangement, there's no do-overs. So more careful governance, ongoing monitoring and sophisticated vendor management will play a role. Banks will have to avoid a mindset in which they do a lot of careful due diligence and examining of partners up front, then start to get lax in management over time because they're comfortable with the quality of service that the outsource firm is providing. That's when problems can start to arise.
What kinds of problems are we talking about?
There are a number of events that can cause severe systemic impairment to the financial system, particularly since many financial institutions share or will share the same external service providers, who have suppliers of their own that may be in a risky position - economic, technological or otherwise. A problem with a backup data management system could hinder access to ATM networks or online banking networks, for example. Even if that access was cut off for only 24 hours or so, that would be a huge blow to the banking system. I'm not talking about something malicious here, either. It could be as simple as an unintentional error that redirects Web traffic or an unintentional shutdown of a provider of network access to a number of banks.
Are these emerging risks changing the job duties of bank execs such as CIOs and risk officers?
These executives have a lot of new challenges and issues to keep track of. CIOs and chief risk officers will have to be responsible for monitoring the quality of service providers and the work that's being done. It's a new discipline for some people in these jobs. Monitoring outsourcing agreements has typically been handled by legal departments in the past.
Are the systemic risks posed by third-party Web infrastructures and external data security as great as the credit risks posed by a lack of transparency into capital markets counterparties?
The losses [from a shared technical malfunction] would be a more functional hit to the economy and systemic access to banks. A crisis that affects the back office won't be as much about investors losing money as the capital markets crisis was. And a tech crisis wouldn't be about 'greed,' so you probably wouldn't have the same level of response from politicians.
How does consolidation of large service providers and processors heighten systemic risk for the financial system?
No matter how careful tech firms are about their controls and security, some things are going to get lost or go by the wayside when two firms merge their businesses. But another concern to think about is the financial condition of the service providers that you're going to do business with as a bank. Was the provider's merger with another firm a merger of equals? Was the acquisition a debt or equity transaction? And what kind of financial position does has the service provider placed itself in by doing the acquisition?
What's the impact of service provider consolidation on a financial institution's risk management?
Most banks that outsource are already aware of vendor management platforms. The emerging challenge is to assess and do a deeper dive into the second or third level providers: who are your suppliers' suppliers? It's an unusual and new issue for a [retail] industry like banking to have to face, unlike manufacturers who have faced supply chain issues for years and know who manufactures and ships their tangible components.
Do vendor management platforms and questionnaires based on shared assessments mitigate this risk?
There's always going to be some risk. At the end of the day, shared assessments won't satisfy everything. But it can cover about 80 percent, and by 'sharing' due diligence standards and best practices you can be exposed to information that you might not have thought about before. The idea is to get a start, and to quickly get though to your own vetting program. A bank shouldn't use standards alone and nothing else to monitor providers - a law school still interviews applicants in addition to requiring them to take the LSATs.