Looming Threats to Operational Resilience for Financial Institutions

Elisabeth A. Wilson , Sunil K. Kansal


October 25, 2021

A cartoon computer screen with a bank building on it, surrounded by a briefcase, password field, credit card, cellphone, clipboard, coffee cup and glasses.

In the last few years, financial institutions have experienced a troubling spike in the number of technology failures and cyber incidents that are not limited to any one country or jurisdiction. Data recently published in the United Kingdom suggests that major banks typically experience more than 10 outages a month. In 2020 alone, three major British banks suffered eight system outages, leaving customers unable to access their accounts through websites and mobile apps. 

Earlier in 2021, First Horizon, a multi-billion-dollar U.S. bank, experienced a significant data breach impacting numerous customers’ online banking accounts after attackers accessed personal customer information and steal funds. BancoEstado, one of Chile’s largest banks, recently shut down all its branches due to a massive ransomware attack. And after the hacking of a tourist services portal, four major Greek banks had to cancel over 15,000 credit/debit cards. Incidents are on the rise, and the best organizations are falling prey to these attacks, imperiling what was once the assumed promise of operational resiliency.

These challenges are further exacerbated by flaws in control and oversight structures, which are particularly exposed during times of fast-paced change. The resultant operational risk represents a major slice of financial institutions’ risk-weighted assets (second only to credit risk). If companies do not vet potential vulnerabilities appropriately, they could face internal low probability/high impact scenarios that publicly reveal the fissures in their institutions.

Enhanced Online Banking and Technological Solutions

Technology infrastructures have undergone drastic changes in the last year, expanding at a lightning pace to support remote work environments and digital products for customers. In some cases, institutions are scrambling to implement services that were not immediate priorities before the pandemic. Simultaneously ensuring that institutions’ risk management infrastructures stay apace may be a challenge.

Financial institutions are also increasingly relying on Artificial Intelligence (AI) to streamline customer interaction and reduce staffing costs. AI may enhance efficiency, allow talent to be resourced, and reduce expenditure, but it is not infallible, and businesses should have backup processes in place in case this technology fails or falls prone to error. 

IBM and Amazon have built huge server capacities to store data on the cloud, encouraging mid-size to large financial institutions to shift their data to these external cloud servers. The cloud has multiple advantages for many organizations wishing to scale up their operations, especially in a world heading toward more permanent remote working solutions. However, it potentially ushers in a new set of regulatory, legal, and operational challenges, namely adherence with data privacy expectations, such as Europe’s General Data Protection Regulation (GDPR), the California Privacy Rights Act (CPRA), and other laws coming to fruition across the United States.

Cyberattacks and Other Growing Dangers

Increased digital traffic is straining bandwidth, and as companies roll out technological solutions to satisfy the customer base, they are also providing opportunities for potential cyber risks, including exploited system vulnerabilities, non-public business and customer data exposures, ransomware scenarios and cyber espionage. The financial and reputational implications for financial institutions—as well as the increased public and regulatory scrutiny—are serious if these risks are realized.

Fraudsters also use ordinary account holders as money mules to leverage customer-friendly remote banking services to launder proceeds from illegal activities. During the pandemic, reliance on money mules has grown massively due to lockdowns and reduced activities eliminating jobs. This has become a perfect opportunity for fraudsters to lure increasingly desperate people to support money mule schemes.

As financial institutions’ products and services expand and resultant operational infrastructures become more complex, they outsource to third parties. These third parties allow institutions to streamline internal resources, while remaining competitive in their ability to offer customers sophisticated financial solutions. However, if third parties become prone to significant operational errors, regulatory issues or cyber vulnerabilities, the banks’ customers will suffer, and the banks will assume reputational consequences.

Strengthening Operational Resilience

Safeguarding operational resiliency infrastructures will be key to addressing potential risks inherent in the rapidly evolving financial landscape. Financial institutions should develop an overview of key risks to capture emerging risks (and any changes to current risk assessments) regarding evolving exposures stemming from new digital products and solutions. They should conduct risk assessments, not only on the current operating environment, but prior to online product and service rollout, to ensure proposed virtual solutions remain scalable and fall within risk appetite.

As financial institutions implement AI solutions, they should ensure appropriate monitoring and backup/redundant processes are in place. Monitoring is essential to guarantee AI is working as the overall model intended. Backup/redundant processes will help ensure service appears seamless to the public, and that any disruption to the AI technology does not jeopardize production.

Financial institutions must safeguard against cybercriminals, whose techniques are ever-changing and increasingly more aggressive. Businesses must not only compete to implement more sophisticated and cutting-edge services, but must also institute complex security methodologies. They should establish information security teams and appropriately allot the budget needed to secure the right talent, providing training to hone and advance necessary skillsets. Cybersecurity experts must remain vigilant against, and stay at least one step ahead of, the latest cyberthreat trends. Technological solutions must be in place to support real-time monitoring and to protect network vulnerabilities from exploitation by malicious actors. Cybersecurity should be at the forefront of any business plan, as companies become high-profile targets for cyberattacks.

Similarly, legal and compliance teams should be prepared to support IT-led data transitions to the cloud and external servers by analyzing GDPR, CPRA, and other burgeoning data privacy laws. Agility is key to ensure that banks adhere to current regulatory expectations, while simultaneously preparing to adapt to future guidance.

Institutions should also counter financial crime risk by investing in well-resourced and capable governance designed to pinpoint and divert fraud, especially regarding money mule scenarios. They can leverage technology to drive automated trending and fraud identification, strengthening companies’ fraud prevention arsenals, and expediting remediation strategies.

When entering third-party relationships, financial institutions must not only enact up-front assessments, but establish ongoing (sometimes onsite) monitoring and audits. Failure to assess a third party’s adherence to regulatory requirements, their operational infrastructure, and their business continuity plans could leave companies open to laterally inherited vulnerabilities. Companies should also thoroughly vet fourth parties employed by third parties. It does not matter how physically removed a risk exposure is from a financial institution, if a third or fourth party suffers a significant risk realization, the financial institution will bear the responsibility in the eyes of its customers.

As financial institutions evolve, both the public and regulators will question their operational resiliency and ability to respond to potential threats. Shortcuts and quick fixes are not enough to safeguard operational resiliency. Institutions will need to deliberately embrace the lessons learned in the last year, methodically upgrade and secure their digital infrastructures, and conscientiously evolve their operational frameworks to mitigate the risks.

Elisabeth A. Wilson is risk manager at Atlantic Union Bank, Virginia, USA.
Sunil K. Kansal is head of consulting at Shasat, chartered accountant, and a fellow of the Institute of Chartered Accountants in England and Wales.