The case for pessimism in financial services

Hi,

There was once a British Airways flight flying over the Indian Ocean. It flew into a volcanic ash cloud over Indonesia, and?all four engines failed .?

Things looked so grim that passengers began writing letters home while the crew tried to keep their spirits up.?

A typical jetliner can fly with one engine. Having four engines is to build redundancy - this usually doesn’t disappoint. But with the British Airways flight, three back-ups weren’t enough.?

What does it tell you? The forces of entropy are strong, and even our best efforts sometimes fail.?

This story has a happy ending, though. The engines restarted, and the flight reached the Guinness Book for the longest unpowered flight.?

This week, I want to make a case for redundancy and pessimism in financial services.?

The big news in the finance and tech world is the?collapse of Silicon Valley Bank (SVB) .?

The SVB collapse is a classic case of a bank run. This type of run is well understood by economists, to the extent that Douglas Diamond and Philip Dybvig were awarded the?Nobel Prize last year for their model of it.

A bank run is essentially when banks’ lenders (i.e. depositors) ask for their money back all at once.?

In hindsight, the SVB collapse could have been spotted from a mile away if only people were more pessimistic.?

Among other things, a potential reason for the run was that SVB had numerous tech startup depositors, making it possible for their withdrawals to be correlated before the run. The tech bust, which caused a decline in venture funding, seems like an apparent cause for a potential surge in startup cash withdrawals -?

Or, as a?BCG note said , the fallout has highlighted four flaws in the typical bank risk management approach. One of them is -?concentration risk.?

"SVB's deposit base was concentrated in a specific sector where account balances were declining rapidly. A 'run on the bank' turned into a 'sprint on the bank' due to the interconnectedness of the client base, the actions of key influencers, and the pace of action in a digital ecosystem (digital banking and communication channels)."

When you put all your eggs in one basket, there's a higher chance of those eggs cracking in the basket.?

Tech may change, and age, but risk management doesn't.?

Concentration risk is the potential for loss resulting from overreliance on a single vendor, geographic area, or investment portfolio and is recognised across various industries. Within Vendor Risk Management (VRM), concentration risk takes on a distinct meaning. If a critical component of a company's operations or supply chain is disrupted, the entire organisation may be unable to conduct business.

Concentration risk in banking technology?

Risk in financial services and markets can have a domino effect - it takes one small element to fail for a Black Swan to occur. And much like the Black Swan theory states, post facto rationalisation is always 20:20.; but that's for another day.?

However, the risk isn't always about accounting for the Black Swans. It's largely about accounting for the White Swans.?

A white swan event is more common and has a lesser impact- routine economic fluctuations, seasonal weather patterns, or scheduled elections. But you line up enough White Swans, and magically, a Black Swan may appear.?

In the case of banking technology or FinTechs counting your White Swans is equivalent to accounting for disruptions/failure of mission-critical software.?

In its 'foundation for successful fintech infrastructure' , Andreessen Horowitz asserts that the key to building strong infrastructure companies in the fintech industry lies in strengthening mission-critical software as the fundamental building blocks.

"Would your customers be materially disrupted (or even forced to halt operations) if your service went down? Or are you merely a nice-to-have? The answers to these questions directly determine the pricing power, defensibility, and overall stickiness of your product. The deeper you're embedded—and oftentimes, the stricter your uptime SLAs!—the harder it is to replace you. While certainly, not all successful infrastructure businesses will become 100% mission critical, we believe it's easier to drive higher customer LTV when the core service you provide is absolutely essential to day-to-day operations. Typically, within fintech, this means that your product is a key enabler of either onboarding and account opening/funding, underwriting, issuing, and loan origination, or payment acceptance and collection servicing."

Mission critical software from a B2B fintech infrastructure company (for lenders) looks like -?

1. Onboarding
2. Underwriting
3. Loan origination
4. Payment Acceptance
5. Collections

A disruption to a vendor or supplier's service, in any of the mission-critical technology, due to a security breach or supply chain shortage can lead to lost revenue and reputational damage for the reliant organisation.?

Concentration risk of this kind can also impact entire markets.

As an example,?Cloudflare controls 80% of the Content Delivery Network (CDN) market .?In June 2022, an outage at 19 ?of its data centres disrupted major websites such as Google, Amazon, and Facebook, leading to widespread internet disruption.

Microsoft Windows enjoys similar dominance, which in turn, can have a widespread impact. For instance, the?WannaCry ransomware attack? exploited a vulnerability in Microsoft Windows and affected over 200,000 computers in 150 countries in 2017. The attack spread quickly because many organisations used the same vulnerable software.

A more recent example with a far-reaching impact was the global shortage of semiconductors - a classic case of concentration risk. The Taiwan Semiconductor Manufacturing Company (TSMC) produces?90% of the most advanced chips ?used in smartphones, high-end processors, and cars, leading to a backlog in production due to the pandemic.?

Goldman Sachs ?analysis found that the shortage affects 169 industries, including computing, telecommunication, household appliances, banking, healthcare, manufacturing, and aerospace, leading to production slowdowns across the sectors.

The globalised world we live in means fewer organisations control ever larger sections of some markets. The public cloud providers' market is dominated by Amazon Web Services (AWS), Microsoft Azure and Google Cloud collectively.?

Concentration risk is exacerbated here because major SaaS products are hosted via these third-party providers. Even if organisations are using a range of software services, it gives the illusion of spreading your risks across the supply chain. The reality, though, is that if all software is hosted through the same platform, you're still vulnerable to concentration risk.?

However, in highly regulated and critical sectors like financial services, a multi-cloud and multiple-vendor strategy is often neither feasible nor is it easy to change suppliers.?

It could be resource-heavy and time intensive to create and maintain multiple contracts. Such contracts include factoring in on-time delivery of a critical application or platform, network or platform availability specifications, and security requirements. Plus, these types of agreements require every individual contractor to communicate with each other and work together. Involving operating contractors between various providers can become challenging as the bank may lack significant negotiating leverage.?

Or even in the case of having a multi-cloud strategy,?in 2021, Bank of America and Morgan Stanley, two major US financial firms, announced they would use a primary public cloud provider? (IBM and Microsoft Azure, respectively) to standardise their operations. The complexity and cost of spreading workloads across multiple clouds that use different technologies, and the need to retrain developers or hire specialists, were cited as reasons for this decision.

So what's the way around this??

Reliability is not resilience:?Reliability and resiliency are distinct concepts. High reliability means minimal downtime and few outages, whereas high resilience implies a system is less prone to failure and can swiftly recover if it does. In enterprise and colocation data centres and corporate IT, designs can be meticulously reviewed, single points of failure removed, and system failure processes practised. However, in cloud services, it is often a black box where the cloud provider conducts these processes behind the scenes for the benefit of all clients rather than just a select few.

According to the?Annual Outage Analysis 2021 ?by Uptime Institute, there were 21 significant cloud/internet giant outages that resulted in negative financial consequences in 2020.

In contrast, US financial giant JPMorgan is one of the few in its industry taking a multi-cloud approach, mindful of these risks. Managers at JPMorgan have expressed concerns over the lack of control associated with a single provider and the complexity and time required to migrate to another provider and back again in case of a major outage.

Build in redundancy:?Redundancy is a concept that can be applied at many levels across many technologies. It all depends on the scope of the system. For instance, for a B2B fintech infrastructure company like FinBox, it means having a?diverse network of lenders . Such a strategy ensures that end consumers get the best loan offers and have a high probability of getting approved. In terms of technology, it means having at least two providers that do services like Pennydrop and E-Nach or having more than one DNS provider.?

All the redundancies we've built in mean everything from origination and onboarding to disbursal and collections happen on time, with the ability to bounce back from disruptions if and when they happen.?

Single contractor strategy:?Bank management can establish a multiple-provider outsourcing arrangement by designating a lead contractor to manage performance and subcontracts with other providers. This structure can result from an existing relationship or a group of providers bidding as a team. Techniques like defining roles and responsibilities in the Statement of Work can help manage risks associated with dependence on the lead provider.

What I'm trying to say is….

The solution is boring.?

To lower overall risk, organisations should understand their exposure and vulnerabilities, including auditing their entire supply chain and not just their direct suppliers. This process helps them determine an acceptable level of risk to their business.

Regular audits of critical supply chains provide valuable risk assessment information and can help organisations focus their efforts on vulnerable areas. The data extracted from the audits can reveal specific vulnerabilities with suppliers, allowing organisations to minimise risk by making changes where necessary.

In today's business landscape, relying on vendors and suppliers is often necessary for remaining competitive. However, simply outsourcing is no longer sufficient; businesses must actively engage and partner with their suppliers.

The core philosophy remains - things in the universe have a tendency to break down and fail us just when we need them most.?

So be prepared.?

That's all from me this week!

Written by Rajat Deshpande