David C. Robertson is a Partner in the Finan-cial Institutions practice of Treasury Strategies,Inc., and helps financial services providers im-prove competitive position, client satisfactionand financial returns. As the head of the finan-cial institutions practice, he helps financial serv-ices providers develop payment strategies andsolutions. He has led the development of manyof the firm’s proprietary methodologies in pric-ing strategies and new product developmentand is the co-author of Treasury Strategies’groundbreaking whitepaper, ‘The Next Gener-ation of Treasury Services’. In addition to hiswork with banks, securities firms and otherfinancial services providers, David helps tech-nology and service firms understand their targetmarkets, refine their product offerings, positiontheir capabilities, and price to optimise value.He also works with industry groups, regulatoryagencies and industry consortiums to maintaintheir leadership through strategic initiatives thattransform the financial services landscape. Priorto joining Treasury Strategies, David spent 18years in banking, consulting and the publicsector. David holds an MA in English Litera-ture from Northwestern University, and a BS inFinance from Indiana University.

Paul LaRock is a Principal with TreasuryStrategies, and helps multinational corporationsand financial services providers to optimiseefficiency, understand and manage risk andrefine their strategies. Paul has more than

20 years of experience in corporate treasurymanagement and operations. His experienceincludes policy-making roles in the managementof collections, disbursements and liquidity func-tions. Paul works with corporations and financialinstitutions to develop practical strategic solu-tions to the key issues they face. He works forclients with needs in cash management, mer-chant card processing and treasury technologyto increase operational efficiency and internalcontrols. Paul is a Certified Cash Manager andearned his BS in Accounting and Finance fromEastern Illinois University and his MBA fromNorthern Illinois University. Paul is a graduate ofthe University of Chicago’s Basic Programme inLiterature.

ABSTRACT

A variety of environmental factors have com-bined to raise the risk inherent in processingpayment transactions. Among other factors, riskis increasing because payment methods andchannels are proliferating and becoming morecomplex, settlement infrastructures are expand-ing access in order to compete, and the velocityand leverage of financial transactions are in-creasing. In response, regulators have raisedthe bar, and Boards of Directors and seniormanagement at both banks and other financialservices providers are asking tough questions.This paper reviews some of the key forcesdriving increased operating and compliance risk

A strategic framework for managingoperating and compliance risk in thepayments business

David C. Robertson* and Paul LaRockReceived (in revised form): 25th October, 2007*Treasury Strategies, 309 West Washington Street, 13th Floor, Chicago, IL 60606,USA. Tel: �1 312 6286950; Fax: �1 312 4430847;e-mail: Dave_Robertson@TreasuryStrategies.com

Journal of Payments Strategy & Systems Volume 2 Number 2

Page 138

Journal of Payments Strategy& SystemsVol. 2 No. 2, 2008, pp. 138–149,� Henry Stewart Publications,1750-1806

and could detect anomalies in paymentpatterns by simply looking at transactionsposting to the demand deposit account.

If one were to take the banker from theearly 1980s and transplant him or her to2007, they would quickly become dis-oriented by the dizzying array of paymentoptions and processes available in themarketplace. What is more, they might behorrified by some of the payment servicesbeing offered. ‘How,’ they might wonder,‘was something like PayPal ever allowedto happen?’

The relationship manager is now oftena capital markets dealmaker who is toobusy creating the next deal to reflect uponthe debits and credits flowing throughtheir customers’ accounts. Automatedclearing house has gone from beingrestricted to an exclusive club to residingat the fingertips of anyone who wants tomake a payment. Fast food restaurants,vending machines and taxicabs nowaccept credit cards, which are sometimeseven embedded into procurement andaccounts payable processes. And cus-tomers can now initiate payments througha variety of channels, including clicking amouse, driving their car or waving theirwallet in the general direction of awireless receptor.

In order to think about risk in pay-ments, it makes sense to consider pay-ments at the component level, as noted inTable 1. The lists of examples outlined arenot intended to be exhaustive.

Channels, payment types, settlementnetworks and accounts can be mixed andmatched together to create new paymentsolutions — and many payment solutionproviders appear to be doing just that.The example in Table 2 gives a fewextreme flavours of how these combina-tions might work.

If one conservatively assumes that thereare ten channels, ten payment types, tensettlement networks and ten account

in the payments industry and outlines anapproach for effectively managing this risk.The authors recommend that payment risk beviewed in its component parts at a foundationallevel and also offer a more comprehensiveframework for risk management that includesnot only compliance and control, but alsocustomer experience, efficiency and deliveryarchitecture. Finally, an industry-wide approachto identifying and eliminating risk more rapidlyand effectively through a consortium that wouldshare information on payment risks is sug-gested. This consortium could ultimately alsoprovide a basis for more transparent measure-ment, monitoring and insurance of paymentrisk.

Keywords: Risk, compliance, BASEL 2,operations, regulation, channels, net-works, controls, architecture, gover-nance, fraud, capital

THE TIMES THEY ARE A-CHANGINGWe sometimes fail to recognise themagnitude of change that has occurredbecause we experience change in smallevents and gradual increments that appearlogical once they have occurred. It isuseful, however, to go back just onegeneration and consider the paymentsenvironment that a banker in the early1980s would have experienced.

Payments were relatively simple in theearly 1980s. An individual or businesscould initiate a payment by cheque, cur-rency and, if they were lucky, by creditcard. A select group of special customerscould initiate payments by telephone orfile. The automated clearing house (ACH)was a somewhat obscure payment methodreserved for payroll, recurring debits bylarge billers, and payments conducted bya small group of firms that used ACHfor business-to-business transactions. Mostrelationship managers knew the commer-cial activities of their customers intimately

Robertson and LaRock

Page 139

types, that results in 104 or 10,000 uniquepayment solutions. Clearly, some com-binations are probably infeasible, but onewould not rule anything out at this point.As in the example above, someday onemay end up imaging currency andconverting it to an electronic form ofpayment or printing currency on ourcomputer just as one does for eventtickets.

MANAGING RISK AT THEFOUNDATIONAL LEVELManaging the risk of each unique pay-ment solution ultimately becomes impos-sible for several reasons. First, there isalmost no end to the combinations thatcan be created. Each new channel, pay-ment type, settlement network and ac-count type that is introduced into the

market with some unique characteristichas an exponential impact on the numberof payment solutions possible. For thisreason, the risks of payment solutionsmust be handled at a foundational level.Some sample risk issues are outlined un-der the first of the three components inTable 3.

With this foundational approach, thecomponents of payments can be isolatedand the risks addressed. This approach alsohas the benefit of maximising riskmanagement and compliance scale byaggregating the risk and compliancemanagement governance, tools andprocesses at an enterprise level. Thisapproach also ensures consistency acrossthe organisation, as various units will nottreat the risks of specific channels,payment types and settlement networks inan inconsistent manner. Within institu-

Managing operating and compliance risk

Page 140

Table 1: Payment components

Channels Payment types Settlement networks Account

Channels are the media Payment types are the Settlement networks are The account is the through which a payment form of the payment the infrastructure used designated entity to and is initiated and define the settlement to exchange funds or from which funds are

conventions and information in support movedregulations governing of settlement; networks the payment have rules and may limit

access• Telephone• Web• Fax• Card/Plastic• Mobile• Wireless transponder• Mail• File to file• Counter (physical

presentment)• –Scanning device +

file transmission

• Cheque• ACH (BOC, PPD+,

WEB, etc.), GIRO, etc.• Fedwire• SWIFT (eg MT101)• Currency• Prepaid units• Direct account transfer• Credit card transaction

(debit, credit, other)• Proprietary payment

methods• –Virtual monies (eg

Second Life Linden dollars)

• Federal Reserve• Peer to Peer (bank to

bank)• ATM networks• Card associations• PayPal• Proprietary• SWIFT• CHIPS• Clearing houses

• Bank demand deposit account

• Bank savings account• Bank loan account• Brokerage account• Proprietary accounts

(eg PayPal)

monitoring risks by component —something that is nearly impossible to doif this framework is not first implemented.Such measurements help prioritise whererisks are largest and can thus help guideinvestments in risk-mitigating tools oreducation. For example, a bank may viewthe Web as the primary risk channel anddirect most of its risk-management dollarsto managing this risk when, in fact, ahigher volume of high-risk transactionsmay be occurring by telephone or otherchannel.

Consider this foundational approach,for example, in evaluating and managingthe risk of the telephone as a channel.In the case of telephone-initiated pay-

tions, there is a strong likelihood that,should this framework be executed,inconsistencies will immediately beuncovered in the way in whichfoundational aspects of risk are beingmanaged in different regions, businessunits or platforms. Generally, theseinconsistencies are present in the way therisks of channels and settlement networksare managed, as most banks tend to focusmore on the payment type to theexclusion of other payment elements. Inaddition, fragmentation of channels mayresult in varying capabilities with respectto control, authentication and reconcilia-tion. Finally, a foundational approachprovides a basis for measuring and

Robertson and LaRock

Page 141

Table 2: Sample payment solutions

Channel + Payment type + Settlement network + Account type

Telephone initiated Reload of a prepaid card Using PayPal to debit My parent's bank account= Payment SolutionStarbucks refill option for slackers who have access to their parent's bank account via PayPal

Channel + Payment type + Settlement network + Account type

Scanning and file Chinese Renminbi notes Transmitted via SWIFT USD collection account transmission of with unique micro-fibre IDs File Act to credit Walmart’s at JPMorgan Chase= Payment SolutionRemote currency deposit capture solution

Table 3: Sample risk issues by component

Channel Payment type Settlement network

• Authentication of individual • Legal and regulatory parameters • Rules for unwinding initiating transaction governing transaction transactions in the event of

• Permission of individual initiating • Rules governing finality and failuretransaction conditions under which transactions

• Proof that the transaction actually may be reversedoccurred • Settlement timing, which gives rise

to the magnitude and duration of credit risk exposures

ments, the bank must authenticate theindividual who is initiating the transac-tion, ensure the person is authorised forthe action they have undertaken and, inthe case of a dispute, prove that theindividual did indeed initiate the transac-tion. There are numerous types ofpayment instructions banks can accept bytelephone. Rather than individually assessthe risk of each type of solution that usesthe telephone as a payment channel, itis suggested that banks assess the channelrisk and designate appropriate control andmitigants comprehensively and consis-tently, applying controls based on themagnitude of the risk. Note that thismagnitude will depend on other paymentelements such as payment type, dol-lar threshold or a combination ofmultiple elements. For example, abank would probably require far moresignificant controls around telephone-initiated wires over US$1m as op-posed to telephone-initiated internalbook transfers below US$100,000.

Controls and mitigants can be preven-

tive and detective. Table 4 outlines somesample controls and mitigants for each riskof the channel.

These preventive and detective controlscan be developed as a scalable utilityacross the enterprise. A bank might viewvoice recognition analysis as economicallyunfeasible for an individual payment plat-form, but such an investment might atsome point become feasible if leveragedacross multiple payment platforms andbusiness units. After authenticating an in-dividual through a challenge question,the system could authenticate the in-dividual thereafter simply by recordingtheir voice.

The bank’s operating infrastructureshould match the risk framework, scalingall competencies that can be centrallymanaged. Figure 1 outlines such aframework.

Channels are managed across the en-terprise and the affiliated tools, gover-nance and processes around authenticationare similarly managed on an enterprisebasis.

Managing operating and compliance risk

Page 142

Table 4: Sample controls for authenticating payments by telephone channel

Key risk issue Preventive controls Detective controls

Authentication • Passwords • Detection and investigation of • Callbacks to designated numbers unusual patterns• Recording of telephone calls • Post-transaction confirmations• Limiting access to payments with

some pre-authorised parameters,eg repetitive wires

• Voice recognition analysis• Challenge questions

Settlement Timing creating • Deliver versus payment (eg defer • Monitor balances and transaction credit exposure outbound payments until covering behaviour to flag high-risk exposures

funds are final) • Track incoming payments covering • Pre-fund transactions credit exposures and flag for • Collateralise exposures expedited follow-up any exposures • Formally approve credit exposures that remain open beyond a • Identify incoming funds threshold duration

might demand that the collectionagency manage its telephone collectionswith total transparency, using platforms,processes and standards approved by thebank. At another extreme, the bank mightsimply evaluate the efficacy of thecollection agency’s internal practices andset limits based on the bank’s comfortwith the agency’s practices and creditcondition. In the middle, the bank mightinvestigate the agency’s practices, requirea SAS70 (Statement on AuditingStandards) Level 1 audit, or have the rightto conduct spot audits of underlyingdocumentation on transactions, such asthe right to listen to audio files ofconsumer-initiated transactions or inde-pendently verify such transactions.

A BUSINESS VIEW OF MANAGINGOPERATIONAL AND COMPLIANCERISKOnce risks have been appropriately iden-tified and evaluated, a bank must chooseamong various options as to how best toprevent and/or detect such risks. Thesame holds true for compliance require-ments that must be met. Many businessclients tell horror stories as to howrisk and compliance management op-tions are selected. One sees business

Third party processor riskThis section briefly discusses a criticalissue in payments risk — third partyprocessors. Third party processors, such aspayroll processors, proprietary settlementnetworks, collection agencies, etc., posesignificant risk because they create multi-channel payment solutions. For example,in the case of a collection agency, theymay secure by telephone the approval ofa consumer to initiate a debit to a chequeaccount via ACH and then send thatpayment instruction to the bank in abulk file or by initiation over the Web.The bank may authenticate authorisedindividuals at the collection agency butprobably will not authenticate the con-sumer that originally generated the trans-action. Dependent on the nature of thechannels, it may be difficult or evenimpossible for the bank to authenticatethe initial payment channel, thus expos-ing the bank to risk it cannot directlymanage.

The risk of multi-channel paymentsolutions can be addressed throughseveral approaches, which vary in theircost/feasibility and degree of preventivecontrol. At one extreme, banks candemand complete visibility into theactivities of their third party processingclients. In the example above, the bank

Figure 1 Anoperatingarchitecture alignedto the foundationalrisk-managementframework

Robertson and LaRock

Page 143

WIRE ACH CHEQUE CARD

CHANNEL MANAGEMENT

AUTHENTICATION

units faced with the dilemma of eitherbuying technology solutions that are toocostly relative to revenues or addingadditional staff and costs for manualactivities that degrade efficiency andcustomer experience, while also restrict-ing strategic options by further com-plicating the delivery architecture. Withthese challenges in mind, the followingframework was developed for assessingoperational and compliance risk options,shown in Table 5. Under each elementof the framework, an example of akey objective is given and how itmight translate to specific metrics orcapabilities.

While most risk solutions are assessedbased on their ability to limit or reduceoperating, credit, compliance and fraudrisk, one typically sees very little, if any,attention paid to the impact on efficiency,customer experience and the overalldelivery architecture. One finds, however,that these factors are not only worthwhilein their own right, but also heavilyinterdependent with risk. As a result, byfailing to consider these criteria, banks areactually introducing risk back into thesystem, even as they are trying to reduceit.

Consider, for example, a risk-manage-ment solution that impairs efficiency,degrades customer experience and furthercomplicates the technology or processingarchitecture. While no one would admitto implementing such a solution, onesees these approaches frequently. Insidethe bank, they are referred to as ‘quickfixes’ or ‘band-aids’. And indeed, suchsolutions give the appearance of address-ing the risk in question. As an example,a bank whose operation is committingerrors may throw more people at theproblem to do spot checks to limiterrors; however, the fundamental rootcause of the operating risk remains un-resolved.

HOW RISK SYSTEMS BACKFIREVery few banks will admit to being ableto tolerate decreases in efficiency — infact, most are seeking material improve-ments in staffing throughput levels andunit costs. If a risk solution decreasesefficiency, the unit in question will mostlikely not be permitted to increase itscost structure, but instead will be chal-lenged to cut costs elsewhere to offsetthe degradation in efficiency. Withoutany true efficiency gain, the cost cuttingwill take place by arbitrarily reducingcosts — probably staff — increasing stresswithin the operation and also increas-ing the likelihood of operating errors orfailure to catch errors or fraud owing tostaff being overstretched.

In a similar manner, if customer ex-perience is degraded as a result of a risksolution, risks in the system will increaseelsewhere. Consider, for example, some ofthe onerous screening processes a bankmay go through to address ‘Know YourCustomer’ requirements. If these proce-dures are conducted in a manner thatstarts the relationship off on a bad footing,several secondary impacts are likely. First,sales staff may seek ways to minimise orshort-circuit the screening, so as to limitthe negative impacts on their client base.Additionally, poor customer experiencewill cause the most flexible and health-iest clients to seek alternative providers,resulting in an adverse selection in whichthe bank is stuck with clients who aredoing business with the bank because theycannot go anywhere else.

Lastly, the most critical element of thisframework is the overall architecture, andthis brings us back to the importance oftaking a foundational view of risk. Manybanks are currently in a vicious cyclewhere the bulk of their investment dol-lars are directed toward compliance andmaintenance with very little available fornet new investment. These investments

Managing operating and compliance risk

Page 144

Robertson and LaRock

Page 145

Tab

le 5

:Afr

amew

ork

for

man

agin

g oper

atio

nal

and c

om

plian

ce r

isk

Risk

Com

plia

nce

Cus

tom

er e

xper

ienc

eE

fficie

ncy

Arch

itectu

re

Exa

mpl

e:Q

uant

ifica

tion,

mon

itori

ng a

nd a

ppro

val o

f cr

edit

risk

exp

osur

es•

App

ropr

iate

ide

ntifi

catio

n of

risk

s•

Qua

ntifi

catio

n of

risk

exp

osur

es

rela

tive

to n

atur

e of

risk

and

cu

stom

er r

isk•

Mon

itori

ng o

f ex

posu

res

agai

nst

limits

Exa

mpl

e:Se

rvic

e le

vels

rela

tive

to c

usto

mer

nee

dsan

d co

mpe

titor

cap

abili

ties

•Sp

eed

of d

eliv

erin

g lo

ckbo

x im

ages

fol

low

ing

rece

ipt

from

Pos

t O

ffice

•E

laps

ed d

urat

ion

to o

pen

ane

w d

epos

it ac

coun

t fo

r an

exist

ing

cust

omer

•Pe

rcen

tage

of

files

tr

ansm

itted

suc

cess

fully

agai

nst

dead

line

Exa

mpl

e:E

xten

sibili

ty o

fpl

atfo

rm•

Abi

lity

to e

xten

d ri

skm

anag

emen

t an

d co

mpl

ianc

e m

onito

ring

and

filte

ring

acr

oss

plat

form

s.•

Abi

lity

to a

dd

func

tiona

lity

or t

hird

-pa

rty

inte

grat

ion

toex

istin

g pl

atfo

rms

Exa

mpl

e:C

ompl

ianc

e w

ithA

ML

acro

ss a

ll re

leva

nt

plat

form

s•

Prop

er i

ncor

pora

tion

ofge

ogra

phic

,and

pro

duct

risk

•Is

olat

ion

of s

uspe

ct

tran

sact

ions

•A

ppro

pria

te t

reat

men

t of

high

-risk

cus

tom

ers

and

tran

sact

ions

Exa

mpl

e:C

ost

effic

ienc

y an

dst

aff

prod

uctiv

ity•

Uni

t co

sts

by p

latfo

rm,e

gun

it co

sts

per

wir

e an

d pe

rA

CH

tra

nsac

tion

•T

hrou

ghpu

t ra

tes,

egw

hole

sale

lock

box

item

spr

oces

sed

per

FTE

per

mon

th•

Key

pro

duct

ivity

dri

vers

,eg

ST

P ra

te f

or w

ire

proc

essin

g•

Cyc

le t

imes

—el

apse

dpr

oces

s tim

e fo

r an

eve

nt

are made at the margin — in mostcases ‘bolted on’ to the existing arch-itecture. Each successive round of risk-management investment produces a morecomplicated architecture such that futuredevelopment is lengthy, costly and fraughtwith risk due to complexity. As a result,such institutions are continually strainedby compliance and maintenance demandsand defer investing in strategic initiativessuch as re-architecting their delivery plat-form.

While such a move might require a twoto three year investment window, it couldfundamentally free a bank from this vi-cious circle.

In evaluating options to address risk,it is recommended that banks considerfive types of solutions, as summarised inFigure 2.

• Education consists of training for staff toensure they understand risk, are awareof their roles in managing risk, and havethe skills and knowledge base to per-form those roles. Education should alsoinclude an assessment process to validatethat staff are positioned to perform theirroles.

• Governance includes formal oversight ofall activities, ensuring that approvaldecisions are made at appropriate levelsof seniority and that decisions areappropriately informed. The scope ofdecisions should include not only ap-proval of risk exposures and exceptionactivities, but also review and approvalof policies and procedures, systemsand training programmes. Governancealso includes a comprehensive portfolioview as to the optimal risk/return mixof various lines of business.

• Metrics and MIS encompasses not onlyformal post facto reports on risk ex-posures, but also the ability to conductad hoc reports or otherwise query awide array of transaction and customerdata for purposes of understanding riskexposures.

• Policies and procedures are at the heartof any risk-management programme.Policies and procedures cover notonly operating activities, but also risk-management processes, exception ap-proval activities and formal activities todocument, investigate and act upon lossoccurrences.

• Tools are both automated and manual

Figure 2 Solutionelements foraddressingpayments operatingand compliance risk

Managing operating and compliance risk

Page 146

Metrics

& MISEducation

ToolsPolicies &

Procedures

Governance

tured, it could provide privacy to allparties concerned, but filter unusualpayment patterns across institutions,thus catching fraud or launderingschemes that were too subtle to becaught at any single institution.

(ii) The clearing house could act as arepository for experienced risks or‘near misses’. The clearing housecould operate a clear scheme forclassifying risks so that members ofthe clearing house could do akeyword search on a platform,channel or other term and identifyanecdotal information about real-world experiences. The clearinghouse could produce risk alertsnotifying the market of recentschemes or problems.

(iii) The clearing house could provide astructured means for measuring andreporting on risk across the industry.With this information, the clearinghouse could provide benchmarkingdata, enabling banks and other finan-cial services providers to comparetheir performance.

By providing better information andtransparency around industry risk, theclearing house would also provide banksand other financial services providers witha quantitative way to present to themarket their performance around risk. Inturn, this would lead to more informedinvestment decisions as well as thepotential for a secondary market ininsuring a broader array of risks. Giventhe very long tail in some of the riskdistributions present in payments, thiswould greatly strengthen the capitalposition of institutions.

CHALLENGES TO THE VISIONThe financial services highway is litteredwith failed consortium attempts (does

support materials that assist staff inmanaging risk. For example, a toolmight include something as complex asa cross-platform transaction monitoringsystem to flag suspicious transactionsfor anti-money laundering (AML) ac-tivities, or it could also be something assimple as a one-page checklist todetermine whether a customer is athird-party processor.

Thus, in evaluating options for reducingrisks, each of the above five elementsshould be considered in concert with oneanother, and the efficacy of the solutionshould be based not only on the degree towhich risk is mitigated, but also on thebroader objectives of efficiency, customerexperience and architecture.

A VISION FOR THE FUTUREAn unfortunate tenet of risk managementis that, as an industry, it tends to learn thehard way. The reasons for this are fairlysimple. First, there is no shortage ofthe creativity of crooks. Secondly, withinnovation comes complexity and thepotential for unforeseen errors — at timesit appears that operating risks follow chaostheory, where the slight shift of a but-terfly’s wings in South America cause atotal crash of a Web platform in theUK.

Banks have made great strides inmanaging risk across the enterprise. Fiveyears ago, few organisations were able tolook at payment risks across platforms.Today, most major banks can do so.Perhaps now the time has come to lookat risks across banks. A consortium thatprovided a clearing house for informationaround compliance and risk could provideseveral services.

(i) The clearing house could act as theultimate AML filter. Properly struc-

Robertson and LaRock

Page 147

anyone remember EDIBANX?), but thereare also successes to which one can point(see Table 6). In general, for a consortiumto succeed, it needs to avoid complexity,avoid areas of differentiation and providea framework for clear benefits.

The above ‘lessons’ suggest severalcourses of action for a risk consortium.

(i) The consortium is more likely tosucceed if it begins as a small groupof large banks coalescing around theconcept. Given the consolidation inthe industry, three large banks couldgenerate sufficient data to providea robust sample. For example, inthe US, the three largest treasurymanagement banks could generatedata on as much as 40 per cent of thepayment flows as a party to one orboth sides of the transaction, with thetotal scope dependent on the level ofoverlap among their transactions.Such a flow would enable them tosee larger data samples for patternanalysis as well as produce a transac-tion risk database.

(ii) The consortium must focus narrowlyon risk and avoid tackling issues thatwould appear to undermine theability of any player to differentiate

competitively. As an example, in thecredit markets, the Loan PricingCorporation (ultimately acquired byReuters) set out to provide robustdata on lending spreads and defaultexperiences but did so in a mannerthat did not compromise the ability ofany individual bank to compete for aparticular credit. While risk/return isparamount to business executives,banks will want to differentiate them-selves by aligning themselves invaried manners along the risk/returnparameter. As a result, the consortiumshould focus narrowly on risk and notprofitability or related revenues.

(iii) The consortium must address dif-ferences in data among banks in orderto build a robust, universal database.This could be done in several ways.A common technology player inthe compliance or risk-managementspace might join the consortium toprovide a proven basis of categorisingand mapping data in a manner thatsupports aggregation across multipleinstitutions. Alternatively, an industrygroup could provide a common dataframework and possibly also serve asthe infrastructure for the activitiesof the consortium. Examples of

Managing operating and compliance risk

Page 148

Table 6: Consortium failures and successes

Failures Successes

• Many players with competing and divergent views • Focused group of initial players with critical mass, eg or needs oligopolistic industry structure

• Scope of consortium includes areas seen as • Consortium not seen as constraint on competition as potential areas of strategic differentiation area of focus is a commodity

• Significant integration costs or challenges in • Standards and limited or common points of interface,integrating disparate data sets making integration into the consortium manageable

• Exposure of private data to members of • Limited customer or other critical data or strong the consortium protection

• Potential for collusion or other anti-competitive • No risk of anti-trust concernsviolations

petite and the optimal parameters for sucha consortium.

CONCLUSIONSPayments risk is a quickly evolving arena.New payment vehicles are multiplying,and the card and ACH networks aretransforming and competing for additionalpayment share. Regulators are intensifyingtheir expectations as to the controls andpolicies that providers have in place.Against this backdrop of change, theauthors have outlined an approach formanaging payments risk at the founda-tional level, scaling competencies acrossthe organisation and ensuring greaterconsistency among business units. Asignificant risk in managing payments riskis the potential that providers may makemarginal investments in risk and com-pliance controls that negatively affectefficiency, customer experience or theoperating architecture of the firm. Theauthors argue for a broader frameworkthat considers these impacts, which willlead to a more strategic, long-term viewof the risk infrastructure, ultimately free-ing resources for more discretionaryinvestments. Lastly, a possible industry-wide clearing house to capture and shareinformation on risk and compliance acrossthe industry is outlined. Given theimportance of payments risk and com-pliance, and its potential to ‘crowdout’ the investments needed to growand innovate, the authors believe thesestrategic perspectives and frameworks willbest position banks to succeed.

such groups include SWIFT andNACHA.

(iv) The consortium would require aseparate legal entity so that theunderlying data would be inacces-sible to consortium participants. Theconsortium would also require aninfrastructure that provided best-in-class industry standards around dataprotection. Such a level of protectionis critical, as the consortium wouldnecessarily require customer-specificinformation to be effective. Forexample, unique account number,bank identifier combinations wouldbe needed to assess patterns acrossinstitutions.

In addition to the above challenges,the consortium faces the challenge ofresources. Banks are already constrainedby investment capital that is all too oftenabsorbed by immediate compliance needs.As a strategic initiative with a paybackperiod of at least 18 months, it is likelythat the consortium could be deferred infavour of incremental improvements on astand-alone basis. One option for over-coming this obstacle would be for a‘for-profit’ entity to capitalise the consor-tium in return for a future profit stream orthe initiation of a limited consortiumfocusing on reporting on experiencedrisks.

While the above challenges are sig-nificant, they are not insurmountable. Theauthors believe the potential consortiumconcept should be raised within key in-dustry groups to determine industry ap-

Robertson and LaRock

Page 149