By Sameer Pendse, VP & Global Solutions Lead, Mphasis

The past fifteen years have seen a huge evolution in the role of technological innovation within the field of Governance, Risk and Compliance (GRC) and its impact on the global financial services sector. The shifting innovation trends can be categorised into five generations – currently we’re in ‘Generation 5’, which is yet to mature in terms of the key developments emerging in the industry.

What was the trajectory that brought us to this phase and, crucially, what lies ahead for financial institutions in their innovation journey?

The rise of AML, artificial intelligence & machine learning

In Generation 1, around fifteen years ago, the focus was for financial institutions to implement financial crime prevention programmes, driven by Anti-Money Laundering (AML), using traditional automation techniques. These programmes leaned on commercial-off-the-shelf (COTS) tools for AML, know-your-customer (KYC) verification and sanctions screening.

For some financial institutions, namely tier 2 organisations, COTS solutions proved costly and difficult to implement and support. As the need for AML became a more pressing concern, due to increased cyber-crime, the size of knowledge worker teams grew larger as a greater number of alerts needed investigation. That’s where a gap appeared for advanced automation.

A key requirement throughout those early years was implementing robust Basel driven financial risk programmes – specifically Basel II – before Basel III became a priority that emerged from the 2008 crisis. At that stage, financial institutions directed budgets towards upgrades to address the revised capital formulae, moving to internal models for credit, operational and market risk. Liquidity risk tracking and reporting also gained prominence as banks transitioned to a regime where funding issues could be detected well before they became bankruptcy conditions.

Cue eight years ago, as the industry entered Gen 2, the focus shifted to addressing regulatory actions such as consent orders and MRAs, which were geared mostly towards resolving deficiencies in AML programmes. This was also the generation of high penalties, and financial institutions had to restrict their innovation drives, redirecting time, budgets and efforts on remediating regulatory actions.

At this point, financial institutions had invested heavily in either custom or COTS financial crimes detection platforms but these operated in silos and failed to give a complete customer view. In certain cases, there were inadequate checks in place, allowing suspicious activity to pass through. Regulators were also introducing formal stress testing, such as CCAR in the U.S., and top banks were making initial strides in building out these solutions.

By the watershed year of 2015, Gen 3 saw AI and ML techniques achieving industry application levels, rather than just being lab prototypes. This, coupled with fewer regulatory enforcements and penalties, led to significant spends and applications of AI and ML in GRC, in addition to mainstream banking applications. Driven by innovation in natural language processing (NLP), artificial neural network (ANN) and semantic technologies, the GRC arena benefited from solutions for, among others, auto detection of suspicious activities for specific transactions, auto construction of beneficial owner hierarchies in KYC, false positive scoring and ranking to reduce investigation workloads, the use of patterns and rules in fraud detection, and harnessing semantic technologies for alert investigation.

Growing prominence of cloud & financial risk management

As we entered Gen 4 in 2017, the industry was on the verge of architecting GRC applications natively on the cloud. This fulfilled the need for easily available governance solutions, previously performed by Excel-based databases.

This generation saw further momentum in the growth of innovative AI/ML capabilities, including adverse media detection using sentiment analysis and NLP; automatic contract remediation; use of real time customer behaviour in driving allowed transaction limits versus using static KYC data; sentiment analysis in measuring customer credit risk in public and private publications; and the use of ANN and XGBoost paradigms for trade surveillance alerts.

With the advent of Basel IV and peaking innovation in compliance, attention shifted to financial risk. Financial institutions poured investment into rewriting market risk solutions for the Fundamental Review of the Trading Book (FRTB) and transitioned away from the Advanced Measured Approach in operational risk to the new standardised approach. It was also at this time that major banks began revising their stress testing solutions to have more reusable components and move away from spreadsheet based Gen 2 efforts to more configurable solutions, including COTS.

The emergence of model risk management is also a key step in the direction of more control on the model development and use process – some financial institutions prefer to build custom solutions in-house to meet specific requirements and retain control of technology and scalability considerations.

What innovation trends will drive Generation 5 for banking?

Gen 5 brings us the next step in the AI and ML journey, which is the emergence of quantum computing as a viable solution to tackle search and portfolio problems. This is something that’s very much on the global agenda, with the UK government, for instance, recently investing £153 million into quantum technology for the benefit of the financial services sector. One classic roadblock that can be solved with quantum computing is the detection of non-customer sanctioned accounts and transactions in large data sets. This protects firms from reputational risk arising from regulatory actions and penalties.

In financial risk management, AI and ML haven’t found as high a level of applicability as expected, and it will be some time before we see those trends emerging. However, I would argue that this is the right generation for those introductions.

Blockchain technology also hasn’t found universal applicability in GRC, although it is becoming popular in legal contract lifecycle management. This generation will also see the emergence of more mainstream uses of blockchain.

Another settling trend is the use of “smart” technology in automating knowledge worker tasks, which will lead to significant process and cost efficiencies – typically in alert investigation. While “utility” models (central repository for KYC data; sharing of this data on pay per use; shared sanctions screening services across banking consortiums) have been attempted in previous generations, they have not succeeded for reasons such as cost-benefit and loss of competitive advantage. It’s likely that these will be re-attempted, with a better chance of coming to fruition.

Gen 5 will also see the realisation of “shadow IT” as a significant challenge, especially for the top 50 banks worldwide. Regulators are likely to commence investigation of problems caused by shadow IT, similar to how consent orders in AML became commonplace.

While the GRC industry has seen a lot of change – with each generation now fewer years apart from the last – it is the large financial institutions with deep pockets and more regulatory scrutiny (SIFIs) who are on the cusp of the latest innovation first. As they become more mainstream, the benefits of digital technologies will filter through to the rest of the industry to optimise efficiencies and security; look to HSBC, which reported that the additional layer of safeguarding enabled by its biometric voice recognition technologies reduced the potential amount of telephone banking fraud losses for UK customers by almost £250 million.

Overall, regulatory compliance in financial crimes and financial risk will improve as a result of continuously evolving digital trends, accelerating industry-wide transformation to leave it more protected than ever before against black swan events such as the financial crisis or Covid-19.