BankThink

Yes, your bank has a supply chain, and it's fraught with risk

BankThink on banks supply chain risk management
While banks don't have a clearly defined supply chain in the traditional sense, increasingly the ecosystem of third-party providers that they work with — whether it be around cloud, infrastructure or operations — is becoming a supply chain of essential providers and one that is vulnerable to risk, writes Samantha Regan.
KritsanaMaimeetook81 - stock.adobe.com

During the peak of the COVID-19 pandemic, much attention was paid to the disruption of organizations' supply chains. Nearly every manufacturer, logistics firm and retailer was impacted in some way by unexpected kinks in supply chains that spanned the globe. 

While banks don't have a clearly defined supply chain in the traditional sense, increasingly the ecosystem of third-party providers that they work with — whether it be around cloud, infrastructure or operations — is becoming a supply chain of essential providers and one that is vulnerable to risk.

Regulators are taking notice. When Michael Hsu, the acting head of the U.S. Office of the Comptroller of the Currency, spoke at the Institute of International Bankers' annual Washington conference last month, one of the areas he said the OCC would double down on is the concept of a supply chain in banking. "The provision of banking services increasingly resembles global manufacturing supply chains, with their efficiencies, complexities and vulnerabilities," he said. 

Meanwhile, in Europe, the Digital Operational Resilience Act, or DORA, requires banks to have a plan in place to continue operations if something happens to a digital and data services third-party provider. Other markets, including the U.S., could one day follow suit with their own legislation.

In their efforts to modernize and develop new products at pace by embracing cloud, AI and other emerging technologies, banks are pushing the boundaries and ceding key functions and roles to intermediaries, including fintechs. The advantages of doing so are clear — heightened productivity, scale, potentially lower costs, a superior customer experience — but so are the risks. The interconnectivity of these companies along the supply chain could create a concentration bubble if something were to go wrong.

As a result, the safety and soundness of the banking system is not just about the four walls of the bank anymore. There have been several high-profile recent examples where a bank's supply chain failed, whether it be an accidental billion-dollar payment, disruption to customer-facing applications or a key supplier suddenly going belly up.

Banks' risk and compliance functions and their suppliers need to be more closely attuned to their evolving web of suppliers and up their games to make it more resilient.

Consider this hypothetical example: How quickly could your bank switch to another supplier if its software-as-a-service vendor that was providing core banking services was the victim of a cyberattack and suddenly went down? Do you know where the source code is located and whether it has been verified by a third party? Is it running in primary and secondary data centers or somewhere more challenging to reach? There are dozens more examples that could test a bank's resilience.

Artificial intelligence models are energy hogs. Climate First Bank and UBS are among the very few trying to solve this problem.

April 25

For banks, it's no longer enough to have the contractual terms in place with key suppliers. Oversight and understanding of the relationship with any provider that plays a material role in the bank's business is critical and needs to include risk management and resilience.

And for the suppliers that are forming relationships with banks, they need to grasp their potential liability. In the future, it's likely that organizations won't be able to solely rely on the assurance that the bank owns the risk, or that banks won't look to penalize suppliers if they are the inadvertent or advertent cause of damage or loss. Are these supply chain firms ready for the potential higher cost of compliance and regulatory exposure as they take on more work closer to regulated activities? And how do they create the right operating model that prioritizes success, risk management and resilience? For fintechs, in particular, the bar will have to be raised and it will become more costly to do business.

There's also a less obvious threat that could spill over — the risk of stifling innovation. This risk vs. reward tradeoff must be carefully considered by all parties involved, including regulators.

All of this points to a more fraught and interconnected risk landscape for banks. In fact, 81% of risk management executives at retail and commercial banks believe that complex, interconnected new risks are emerging at a more rapid pace than ever before, according to Accenture's last Global Risk Study. Seventy-two percent agree that their firm's risk management capabilities and processes have not kept pace with the rapidly changing risk landscape.

There are two supply chain learnings that banks could take from other industries. The first is the benefits of developing a network of regionally diverse suppliers, with key providers and data centers located outside of the U.S. or in different regions. The second is the need to increase their digital maturity, through investments in data, AI and cloud, which would allow banks to build reconfigurable supply chains and support decentralized, real-time decision-making at the front lines of their operations. Critically, this can only happen if banks have taken pains to upskill their talent in these areas.

Perhaps, in time, banks' supply chains can become something that resembles the internet today: When one node goes down, everything routes around it and keeps running.

As banks continue their migration to the cloud and outsource key functions and roles — and with the widespread adoption of generative AI expected to increase — intermediaries will only play a bigger role in the end-to-end banking landscape. Thinking holistically about their supply chains and making sure the chief risk officer has a seat at the table when material vendor deals are crafted will be paramount and could help banks stay ahead of the regulators as scrutiny intensifies.

For reprint and licensing requests for this article, click here.
Risk management Risk Consumer banking Regulation and compliance
MORE FROM AMERICAN BANKER