Bank Risks

Question 1

How are Banks becoming more innovative? What are the problems that arise because of this?

Answer 1

To embrace technology and become more agile, banks are moving to the cloud and other forms of outsourcing, which adds to the complexity. Vital elements of key business services are now being delivered by companies who are not regulated to the same extent as banks.

Yet, although there are opportunities to thrive, embarking on such change can be a source of risk, not only to individual banks, but also to the economy, society, and the wider environment.

Question 2

What is a Risk?

Answer 2

Risk is defined in various ways depending on the context. Historically, risk has been associated with taking chances to make gains.

Essentially, risk is about uncertainty. While recognising that with risk comes opportunity, risk in banking is mainly seen as the potential for loss that results from banks’ interaction with uncertainty.

Question 3

What are the three questions Banks ask when facing the concept of Risk versus Reward?

Answer 3

If banks did not take any risks, they would not be able to generate any profit. Key questions are:

• How much risk and reward are we comfortable in facing or taking?
• What are the obstacles to achieving reward, and what could be the downside of failing to do so?
• How do we assess and manage the risk and the reward?

Question 4

What is a Banks risk appetite?

Answer 4

A bank’s risk appetite is how much risk a bank is prepared to take in order to meet its strategic objectives. A bank will have different appetites for different risks and these may change over time. Risk appetite is established, integrated into business plans, and monitored by the bank’s Board.

Question 5

What is a Banks risk tolerance?

Answer 5

Risk tolerance is about what the organisation can actually cope with.

Question 6

How will a Bank exress it’s risk appetite?

Answer 6

A bank will express its risk appetite through its risk appetite statement which helps guide risk management activities across the organisation. The statement is typically based on a review of the perspectives and concerns of the bank’s stakeholders and addresses the implications of its current strategy and objectives.

Question 7

What are the six types of risks?

Answer 7

Strategic risks

Operational risks

Legal risks

Reputational risk

Financial risks

Systemic risks

Question 8

What is a Strategic Risk?

Answer 8

Strategic risks are risks that affect, or are created by, an organisation’s business strategy and strategic objectives. Therefore a bank could have strategic risks if it selects an ineffective strategy for remaining competitive in the current banking environment

Question 9

What is an Operational Risk?

Answer 9

Operational risks are major risks that affect an organisation’s ability to execute its strategic plan. The Basel Committee on Banking Supervision (BCBS) (2011, p.3) defines operational risk as “…the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events”

Operational risks also include the risks of cyber crime. Being the victim of a cyber attack can result in the loss of corporate data, intellectual property, or customers’ financial details, with consequences ranging from regulatory fines and reputational loss, through to complete failure of a business. As cyber risk has been identified as the biggest risk currently facing the financial sector, we look at this in more depth later in this unit.

Question 10

What is a legal risk?

Answer 10

Legal risks include regulatory and compliance risks:
o Regulatory risk is the risk of changes to regulations that result in increased compliance requirements and costs of compliance; for example, a change in rules relating to products or dealing with customers.
o Compliance risk includes the potential for fines and penalties for an organisation that fails to comply with laws and regulations.

Question 11

What is a reputational risk?

Answer 11

Reputational risk is where there is a threat or danger to the good name or standing of an organisation. Reputational risk can arise as the result of the actions and conduct of the company, its employees, or a supplier, leading to causing harm to customers, or adverse effects on market stability or effective competition.

Question 12

What is a financial risk?

Answer 12

Financial risks arise where there is a danger or possibility that the organisation and its shareholders, investors and other financial stakeholders will lose money. For a bank, financial risks include credit risk, market risk and liquidity risk.

Credit risk is the risk that borrowers will not repay their loans. We’ll look more closely at credit risk and how this is managed in a later section.

Market risk is the risk of loss from movements in prices in the financial markets. Examples are foreign exchange risk and interest rate risk.

Foreign exchange risk is also known as currency risk. As banking markets become more global, the importance of a bank’s international activities in the form of foreign investments increases. The risk is that what banks earn from these investments can be affected by exchange rates. Changes in the value of a country’s currency relative to other currencies affect the foreign exchange rates.

Interest rate risk arises from the impact of movements in interest rates and can affect interest paid on deposits and charged on loans. It can therefore affect the profitability of a bank. These risks differ from credit risk, in that they relate to how interest rates and prices for market instruments affect the profitability and value of a bank. Although a bank can be extremely effective at managing credit risk, it can still perform poorly if it fails to manage its market risk.

Liquidity risk is the risk that a bank doesn’t have enough readily available funds to finance its day-to-day operations and pay its debts as they fall due. An example is having enough cash available to give deposit customers their money back either on demand or at an agreed time.

Question 13

What is a systemic risk?

Answer 13

A further risk that is of critical importance to the financial sector and its regulators is systemic risk — the possibility that an event at one bank or other financial organisation could trigger severe instability or collapse of an entire industry or economy.

Question 14

What does PESTLE stand for? What does PESTLE do?

Answer 14

A key tool for analysing external environmental factors is PESTLE:

• Political (e.g., changes in government)
• Economic (e.g., changes in interest rates, exchange rates, or a recession)
• Social (e.g., an ageing population or the effect of automation on people, skills and employment)
• Technological (e.g., digital innovations)
• Legal (e.g., changes in legislation and regulation)
• Environmental (e.g., impact of a business on the environment, its social responsibility, and climate change).

Banks use this tool to identify the key drivers for change — the environmental factors that are likely to have a high impact on the banking industry and the success or failure of a bank’s strategy. PESTLE is also useful for identifying risks that could prevent a bank from achieving its strategic objectives, as well as opportunities for achieving success.

Question 15

What is a capability?

Answer 15

Capabilities refer to the extent to which these resources are capable of implementing the bank’s strategy. The efficiency and effectiveness of physical or financial resources and the people in the organisation depend, not just on the fact that they are there, but on “…the systems and processes by which they are managed, the relationships between people and cooperation between people, their adaptability, their innovative capacity, the relationship with customers and suppliers, and the experience and learning about what works well and what does not

Question 16

What are the fundamental principles in the Risk Management Associations standards?

Answer 16

Identify
• What are the risks?
• How will we define them?
• In what format will we record them?

Assess
• How likely is it that the risks will materialise?
• What could happen as a result?
• What are our priorities?

Respond
• How will we respond to and treat each risk?
• What action will we take?
• What can we do to mitigate this risk, i.e., prevent or reduce it to make it less harmful to us?

Review
• How likely is it that these risks could change or evolve?
• How often should we review them?
• Which risks and actions need to be revised?

Question 17

What is a holistic approach to risk management?

Answer 17

A holistic approach to risk management is one that recognises the interrelationships between risks. As such, it is not fragmented into functions and departments; rather, it is organised with a view to optimising risk management performance across the entire organisation

An example of a holistic approach to risk management is Enterprise Risk Management (ERM), a process that is applied in setting risk strategy and implemented across the organisation to ensure risk is managed within the organisation’s risk appetite and that organisational goals are achieved.

Question 18

What is the difference between Governance and Culture?

Answer 18

Governance sets the organisation’s tone, reinforcing the importance of, and establishing oversight responsibilities for, enterprise risk management. Culture is about the organisation’s ethical values and how it expects employees to behave.

Question 19

What is strategy and objective setting?

Answer 19

Enterprise risk management, strategy, and objective-setting work together in the strategic planning process. A risk appetite, aligned with strategy, is established. Business objectives are devised to implement the strategy and provide the basis for identifying, assessing, and responding to risk.

Question 20

What happens once the risks are identified and assessed?

Answer 20

Risks are prioritised in accordance with how severe they are thought to be within the context of risk appetite. The organisation then decides how it will respond to the risks, taking an overall view of risk across the organisation. The results of this process are reported to key risk stakeholders.

Question 21

What is Credit Risk? How does a Bank manage Credit Risk?

Answer 21

Credit risk is “… the potential that a bank borrower or counterparty will fail to meet its obligations in accordance with agreed terms”

A bank will lend in line with its credit risk strategy, approved by the bank’s board of directors. The strategy will include the bank’s tolerance for credit risk and the level of profitability it expects to achieve for incurring various credit risks (see the section on ‘risk appetite’). A key concept here is ‘know your risk’.

Question 22

What is a Bank’s loan portfolio?

Answer 22

A bank’s loan portfolio is all the bank’s loans on a given day and is a major asset for the bank. The value of a portfolio depends on the interest earned on the loans and the quality, or likelihood, that the interest and the original loan amount (the ‘principal’) will be paid.

Question 23

What is screening? What is the pros and cons?

Answer 23

Knowing your customer becomes more difficult when a bank has adopted a ‘black box’ system, where the decision to lend is decided by a ‘machine’ programmed by an algorithm, and where there is no lending professional reviewing the application.

The danger is that either the machine says ‘yes’ based on the input of data (a good credit score for example) which may not take into account a customer’s other borrowing commitments.

Or that the machine says ‘no’ based on the criteria it is programmed with, yet it may well be a good lending proposition if other factors were to be taken into consideration by a professional lending specialist.

Question 24

Does a Bank measure risk on a single loan or a wider portfolio?

Answer 24

Credit risk management is not just about the risk of a single loan, it also applies to all the loans on the bank’s books, that is, the bank’s entire loan portfolio. It’s therefore important for credit managers to identify risks on individual loans and assess any adverse effects these could have on the wider portfolio. This will enable the lender to decide whether it can grow its loan portfolio by lending more money or limiting the number of loans it makes to avoid overexposing itself to the risk of loans not being repaid.

Question 25

What tools help Banks and other lenders assess and manage credit risks?

Answer 25

A range of credit risk measurement software applications, developed by financial technology companies (fintechs), offers tools to help banks and other lenders assess and manage credit risks. These include tools to help lenders:

• capture and transfer information from a borrower’s financial statements into a bank’s financial analysis programme
• create bespoke internal credit rating and scoring models
• analyse data, and assess and monitor risk.

Additionally, a number of lenders work with technology companies to create advanced credit risk management systems that help them to act proactively rather than reactively to minimise losses and reduce the risk of default.

Question 26

What is the black box of decision making?

Answer 26

As the building of algorithms becomes more complex in decision making, there is concern about them becoming ‘black boxes of decision-making’. These black boxes can be vulnerable to risks. Examples are unintentional (or intentional) biases, errors and frauds. This raises a question about how much they can be trusted. It is therefore vital that banks are aware of these risks and establish mechanisms to manage them.

Question 27

How can risks arrive from Data?

Answer 27

Data input. For example:
• biases in the data used for training
• incomplete, outdated, or irrelevant data
• insufficiently large and diverse sample size
• inappropriate data collection techniques
• a mismatch between the data used for training the algorithm and the actual input data during operations.

Algorithm design. For example:
•	biased logic
•	flawed assumptions or judgements
•	inappropriate modelling techniques
•	coding errors
•	identifying spurious patterns in the training data.

Data output. For example:
• incorrect interpretation of the output
• inappropriate use of the output
• disregard of the underlying assumptions.

Question 28

What can cause these risks in data?

Answer 28

Human biases (e.g., biased historical data is used to train an image recognition algorithm, resulting in the algorithm being unable to correctly recognise minorities).

Technical flaws (e.g., bugs in trading algorithms drive erratic trading of shares and sudden fluctuations in prices, resulting in millions of dollars in losses in a matter of minutes).

Usage flaws (e.g., flaws in the implementation of the algorithm or its use by end users can lead to inappropriate decision-making).

Security flaws (e.g., by intentionally feeding incorrect data into a self-learning facial recognition algorithm, attackers are able to impersonate victims via biometric authentication systems).

If not addressed, algorithmic risks could also give rise to risks in the following categories:

Reputation (e.g., if customers are adversely affected by their use).

Financial (e.g., if errors lead to loss of revenue due to inappropriate financial or strategic decisions being made).

Operational (e.g., if errors cause disruption to business activities, or open up new points of vulnerability for IT infrastructure).

Regulatory (e.g., algorithms making decisions that break the law, breach rules and regulations, or discriminate against certain groups of people can expose organizations to regulatory and legal actions).

Strategic (e.g., errors in algorithms used for strategic decision-making can put the organisation in a position of competitive disadvantage).

Question 29

What are the three ways to manage algorithmic risk?

Answer 29

Strategy and Governance:
Create an algorithmic risk management strategy and governance structure to manage technical and cultural risks. This should include: principles, policies, and standards; roles and responsibilities; control processes and procedures; and appropriate people selection and training.

Design, development, deployment and use:
Develop processes and approaches aligned with the governance structure to address the algorithm life cycle from data selection, to algorithm design, to integration, to actual live use in production.

Monitoring and Testing:
Establish processes for assessing and overseeing algorithm data inputs, workings, and outputs, using state-of-the-art tools as they become available. Seek objective reviews of algorithms by internal and external parties.

Question 30

What are the three types of risks that climate change pose for the financial sector?

Answer 30

Physical risks arise from the direct impacts of climate-related hazards on human and natural systems, such as droughts, floods and storms.

Transition risks arise from the transition to a low-carbon economy, such as developments in climate policy, new disruptive technology or shifting investor sentiment.

Liability risks arise from parties who have suffered loss or damage from the effects of climate change and who seek compensation from those they hold responsible.

Question 31

What is a stranded asset risk?

Answer 31

Stranded assets are assets that have suffered from unanticipated or premature write-downs, devaluation or conversion to liabilities. A write-down is an accounting term for the reduction in the book value of an asset (the value of the asset as recorded in the company’s accounts) when its ‘fair market value’ (the price that a willing buyer will pay to a willing seller for the asset) has fallen below its book value. The amount to be ‘written down’ is the difference between the book value of the asset and the amount of cash that the business can obtain by disposing of it in the best way possible.

Basically, what this means is that stranded assets are investments that are not able to meet a viable economic return, and may even need to be written off before the end of their economically useful life.

The scale of the risks associated with climate change and transition to a low-carbon economy is so significant in that the entire financial system could be damaged, which is why central banks and regulators are playing an increasing role in seeking to understand, define, promote disclosure of and manage such risks.

Question 32

What are the two types of physical risks related to the material effects of climate change?

Answer 32

Acute physical risks: driven by an event which has a short-term impact — a drought, flood or hurricane, for example. In the aftermath of many extreme weather events, there can be significant short- and medium-term costs for clean-up and redevelopment, many of which may be borne by insurers.

Chronic physical risks: arise from more gradual, longer-term impacts, such as rising sea levels or chronic heat waves. The potential impact of these risks may be more difficult to quantify today, yet rising temperatures and sea levels may be on such a scale as to make parts of our planet uninhabitable. Although not all regions or areas will necessarily suffer the same net effects of climate change, in worst-case scenarios, major cities such as Amsterdam, Miami, Osaka and Shanghai, and financial centres such as London and New York, could be significantly affected. Even less dramatic scenarios will see coastal communities, industrial areas and sea ports affected, leading to assets being stranded and a requirement to relocate or redevelop facilities

Question 33

What are the transition risks?

Answer 33

Transition risks are those risks that arise from the transition to a low-carbon economy. These risks include:

1. Risks from developments in climate policy, legislation and regulation, e.g., the introduction of carbon pricing may increase a power station’s operating costs and therefore affect its profit margin.
2. Risks from new, lower-carbon technologies which substitute for existing products and services, e.g., renewables replacing fossil fuels, which may lead to impairment or stranding of assets.
3. Risks from changing consumer behaviour and investor sentiment, leading to potential reduction in demand for products and services (e.g., diesel cars) and in investment demand (e.g., for assets heavily dependent on fossil fuels).
4. Reputational risks where organisations (and, potentially, whole sectors) may suffer from association with high-carbon methods of production and distribution, or environmental destruction, leading to falling demand and revenues, and reduced attractiveness to potential employees and investors.

Question 34

What are the risks associated with policy changes?

Answer 34

The risks associated with policy changes and their financial impact also depend on the nature and timing of the policy changes, and whether organisations can adapt quickly enough to comply. Uncertainty caused by differences in the development and implementation of national climate, economic and energy policies creates additional risks. Uncertainty is compounded by the complex, systemic nature of climate change. This means that the precise impacts of climate change are extremely difficult to predict, and no-one can say with certainty what the future will hold.

Question 35

What are low carbon technologies?

Answer 35

Technology risks occur when new, lower-carbon (or other) technologies replace existing products and services, which may lead to the impairment or stranding of assets. Innovations in technology that support the transition to a lower-carbon, energy-efficient world can have a significant impact on organisations.

For example, the development and use of renewable energy and energy efficiency technologies will affect the competitiveness of certain organisations, their production and distribution costs, and ultimately the demand for their products and services.

Question 36

What is changing consumer behavior and investor sentiment?

Answer 36

The distinction is the fact that changing consumer behaviour (e.g., buying fewer avocados with a view to aiming to prevent further deforestation) and investor sentiment (e.g., reducing investments in all car manufacturers because of problems with one) may depend less on the observable impacts of climate change and the transition to a low-carbon economy, and more on consumer and investor perceptions of potential benefits, costs and impacts of certain behaviours.

Question 37

What is the link between reputation and climate change?

Answer 37

Climate change has been identified as a potential source of reputational risk linked to changing customer or community perceptions of an organisation’s contribution to, or detraction from, the transition to a lower-carbon economy.

An organisation’s reputation (as well as the reputation of a whole sector) could be damaged if it’s associated with high-carbon methods of production and distribution, or environmental destruction, leading to falling demand for products and services and revenues, and being less attractive to potential employees and investors.

What this means for a bank or other financial services organisation is that, not being seen to do what it can to mitigate the risks of climate change, or contribute to the move to a low-carbon economy, could put its reputation at risk.

Question 38

What is a liability risk?

Answer 38

Liability risk is the risk that parties who have suffered loss or damage from the effects of climate change seek compensation from those they hold responsible. This is therefore about risk litigation. Climate-related litigation claims have been brought before the courts by, for example, property owners, insurance companies, shareholders and public interest organisations, due to the failure of organisations to mitigate the impacts of climate change, adapt to climate change, and the insufficient disclosure about financial risks. This could include investors who feel that they were not adequately advised on climate-related issues and suffered losses as a result.

Question 39

In what way does climate change risk affect each type of risk?

Answer 39

Credit Risk: could arise from lending to high-carbon companies who could suffer losses if they fail to make the transition to a low-carbon business model.

Market Risk: could arise if prices increase (oil and food, for example), or where extreme weather conditions reduce the value of currencies in countries where there is wide-spread economic disruption.

Liquidity Risk: could arise if a bank has invested in companies who are severely affected by the impacts of climate change and who find themselves in financial difficulty, even to the extent of bankruptcy. If the bank is unable to get its money back when it expects to, this will affect the bank’s liquidity which means it may not have enough money available to give its deposit customers their money back, either on demand or at the agreed time.

Reputational Risk: could arise if a bank supports unsustainable activities. As ShareAction (2017, p.9) report, “…climate campaigners are increasingly targeting banks and creating public awareness of their role in financing high carbon projects and companies…this could be increasingly important, as recent studies have shown that millennials demonstrate less brand loyalty and value environmental and social causes higher than previous generations”.

Operational Risk: could arise when changing climate conditions present additional risks to banks’ buildings, processes, staff and systems. For example, if the impacts of climate change were to disrupt a bank’s business activities, would its contingency plans be robust enough to cope?

Question 40

How can Banks manage climate related risk?

Answer 40

As we have seen, climate change risks can affect many aspects of a bank’s business, having significant short, medium and long-term consequences. Approaches to identifying, managing, and disclosing environmental, particularly climate-related, risks are being coordinated and stimulated by international organisations, governments, central bankers, regulators and industry bodies concerned about the risks to overall financial stability.

Collaboration and cooperation are key to successful risk management at industry level, as is a coordinated, systematic approach to climate-related risks, especially disclosure of these risks, in order to provide help and advice to boards, investors and other key stakeholders.

Question 41

What is the TCFD? What are it’s four key themes?

Answer 41

Task Force on Climate-related Financial Disclosures (TFCD, 2017), published its recommendations for the disclosure of climate-related financial risks to encourage and promote greater, more consistent disclosure so that climate-related financial risks would become more central to board and investor decision-making. The TCFD also stresses that financial services firms, such as banks, insurers, and asset managers, have a particularly important role to play in influencing the organisations in which they invest in order to provide better climate-related financial disclosures.

The TCFD (2017, p.v) sets out four key themes that, in its view, represent core elements of how organisations operate, and recommends that organisations report their approach to identifying and managing climate-related financial risks against these.

The four key themes are: governance; strategy; risk management; and metrics and targets.

Question 42

What is scenario analysis?

Answer 42

Scenario analysis is a well-established method for exploring different potential ‘pictures’ of the future, and assessing what actions are needed to best deal with those scenarios to reduce the impact of any adverse consequences.

Question 43

What are the opportunities for Banks associated with Climate Change?

Answer 43

Opportunities for banks and other organisations include:

1. Using sources of clean energy could increase energy efficiency and potentially result in reducing operating costs.
2. Developing green products and services could improve a bank’s competitive position in the market and generate more income as customer preferences shift towards being ‘greener’.
3. Investing in and lending to green companies could provide a greater financial return for banks if more and more customers want to do business with green companies.
4. By identifying and managing climate-related risks, improving efficiency and processes, investing in green technologies, and developing green products, banks can become more resilient and better able to adapt to climate change.
5. Helping business customers understand the potential impacts of climate change, the associated risks for their business, and how they might manage these risks to help them become more resilient and better able to cope.

Question 44

What are the top 10 operational risks for Banks?

Answer 44

Data compromise: This is the threat of loss through cyber attacks. Being the victim of a cyber attack can result in the loss of corporate data, intellectual property, or customers’ financial details. Cyber attacks are on the increase, posing a major threat to banks and other organisations across the globe.

IT disruption: Malware designed merely for nuisance value can cripple an organisation’s operations. An example is Distributed Denial of Service (DDoS) — a cyber attack where the hacker seeks to either temporarily or indefinitely disrupt an organisation’s network services. We look at DDoS again in a later section.

IT failure. This is the risk of failure of a bank’s internal IT systems. As Risk.net (2019) report, “…when such failures happen, their financial, reputational and regulatory consequences can easily rival the damage from high-profile data theft”.

Organisational change/’Strategy execution risk’. Adequately translate the strategy into specific business goals, objectives and activities across the organisation; if people don’t understand the strategy or are unclear about what they need to do to implement it, there is a risk that the strategy will not be followed. Adapt the strategy and the business plan when conditions change, e.g., customer expectations, the need for banks to keep pace with their ever-increasing competitors, and new laws and regulations.

Theft and fraud: The risk of theft and fraud remains high on the agenda for operational risk managers, with fraudsters finding new ways to steal from banks and their customers. Frauds can be external or internal to the bank, that is, frauds committed by employees. In some cases, it can be both, with criminals from outside the bank working with internal sources who know about the bank’s systems, processes and controls and potential weaknesses in these. In its global banking fraud survey, KPMG (2019) found that respondents across the globe consider cyber and data breaches the most significant challenge they face.

Third-party risk and outsourcing: By outsourcing key services to third parties, banks can harness the expertise of specialist providers and potentially save costs. Third parties therefore have an important role in the financial services sector. Increasing need for third parties

Regulatory risk: Coming in at number seven on the list of top ten operational risks for 2019 is regulatory risk. This has been fuelled by increasing regulatory focus on anti-money laundering (AML) compliance since 2017 when it came to light that as much as 200 billion euros in non-resident money had passed through Danske Bank’s branch in Estonia between 2007 and 2015. The bank issued a press release in September 2018 about the findings of the investigations and what the bank has done to improve its AML and compliance function. Other regulatory risks could arise from a failure to comply with the EU’s General Data Protection Regulation (GDPR), which became effective from May, 2018, and data protection legislation applying in other areas of the world.

Data management: This risk includes concerns about data quality, particularly the quality of historical data stored on legacy systems, as well as concerns about how the data is stored, used and transferred. A key driver of this risk is increasing regulatory supervision on data privacy and security — GDPR for example. Banks around the world could face heavy fines for failing to explicitly gain consent from individuals to retain and use their data, for example. There are also ethical issues arising from data management which we consider in Unit 6.

Brexit: The UK’s departure from the European Union covers a wide range of possible risk events. Many financial organisations whose business is affected by Brexit are putting in place contingency plans to deal with the impact. For example, as mentioned earlier, some banks are setting up new operations in mainland Europe which could give rise to a wide range of operational risks. Examples are: third-party risk from new supplier relationships; legal risk from having to set up new contracts; and people risk from recruiting, selecting and training new employees. These, and other factors arising from relocating parts of the business, are likely to put additional strain on a bank’s operations.

Mis-selling.

Question 45

What are the most common types of cyber atttacks?

Answer 45

Vulnerabilities in SS7
o SS7 is a set of protocols, or standards, that allows phone networks to exchange the information required for passing calls and text messages between each other. Telecom companies use SS7 to coordinate the routing of texts and phone calls around the world. Cyber criminals are exploiting flaws in SS7, enabling them to empty customers’ bank accounts by intercepting text messages and targeting the codes banks send to customers for authorising payments from their accounts. Although not reported to be the first instance of this type of attack on banks, in February 2019 the UK’s Metro Bank became the first major bank to publicly disclose SS7 attacks against its customers.

Malware
o Malware, or ‘malicious software’, has a malicious intent in that it is used with the intention of damaging or disabling computers and computer systems without the owner’s knowledge. Malware includes spyware, viruses, worms, Trojans, and other types of malicious code that can infiltrate computers.

Ransomware
o Ransomware is a type of malicious software designed to deny access to files, or threaten to publish the victim’s data, unless a ransom is paid.

ATM attacks

Mobile banking attacks
o Mobile banking attacks include fake banking apps and banking trojans. Most financial institutions build mobile applications to give customers access to their assets remotely.

Distributed Denial of Service (DDoS) is a cyber attack where the hacker seeks to either temporarily or indefinitely disrupt an organisation’s network services.

Insider threats

Phishing
o Phishing is a form of fraud where a cyber criminal pretends to be a reputable organisation or person and uses phishing emails, text messages (called ‘smishing’), phone calls (called ‘vishing’), or social media to distribute malicious links or attachments to a large number of people designed to obtain their login details or account information, or download malware.

Question 46

What is Operational Resilience?

Answer 46

Operational resilience refers to the ability of firms, financial market infrastructures, and the system as a whole to prevent, adapt and respond to, recover and learn from, operational disruption.

Operational resilience is seen as an outcome, something to strive for, and a goal that both individual organisations and the regulators share. It assumes that operational disruptions will happen. Therefore achieving operational resilience requires effective and robust management of operational risk, which is key to both minimising financial losses and maintaining the ongoing provision of critical business services.

Enhancing the operational resilience of the financial sector is therefore a priority for banks, central banks, and other financial regulators.

Question 47

What are the recommendations for Banks to become more operationally resilient?

Answer 47

The recommendations include:

1. Adapt risk frameworks, governance and strategy to keep pace with innovation.
2. Tackle the potential for disruption head on by reviewing the approach to change.
3. Routinely address resilience of key services, e.g., when considering investment in IT systems.
4. Build operational resilience into strategy and business plans.
5. Establish comprehensive management information and reporting for important business services.
6. Include operational resilience skills and capabilities in development programmes.
7. Be more transparent about the threats to the ongoing delivery of important business services through more detailed external disclosures and regulatory reporting.
8. Work with technology and other providers to develop standardised support frameworks and opportunities that could substitute key services if necessary.
9. Overhaul supplier management frameworks to improve operation of key services provided by third parties.