Is the risk function ready to waltz with the new regulatory mandate?

Complexity has a way of compounding, especially since the advent of embedded finance — a rather intricate web of outsourcing arrangements involving multiple stakeholders and dependencies. When parlayed with the immense financial sums at stake, complexity can become a recipe for calamity. Citibank’s nearly $1 billion accidental payoff to Revlon Inc’s distressed creditors, and the litigious chase that followed, is a great reminder of the need for better operational risk management. ?

?

Such disruptions whether due to human error, cyber incidents, or frauds can be crippling for lending organisations. This is why the risk function has acquired a renewed prominence in banking governance — a crucial role as conscience keepers deterring the build-up of potential risks. ?

?

In fact, all assurance functions, namely, risk management, internal audit, and compliance functions play an integral role as guardians, ensuring that the bank/NBFC operates safely, ethically and within regulatory and legal boundaries.?

Organisations that fail to afford assurance functions the deserved stature and independence are courting disaster. ?

When assurance functionaries are relegated to titular roles, governance policies fail to adequately incorporate risk considerations for crucial aspects such as identifying target segments and business sectors, determining acceptable concentration levels, and establishing product-specific guidelines, including borrower loan eligibility criteria. This paves the way for recurrent breaches in risk limits, with risk concentrations stealthily escalating until they precipitate sudden downfall.?

RBI is cracking the whip on non-compliance?

?

Of late, the central bank has been reading the riot act to the banking industry. A series of punitive actions, starting in 2020, when it struck at HDFC Bank to the recent actions against Paytm Payments Bank and Kotak Mahindra Bank is proof of RBI’s hardened approach to regulatory breaches. ??

?

That’s not all. RBI has directed its spotlight on to NBFCs as well. Over recent years, NBFCs have seen a rapid expansion of their role within the Indian financial sector, with their share in the credit portfolio notably increasing, particularly in the last three years. Just a decade ago, in 2013, the total credit extended by NBFCs represented approximately one-sixth of the magnitude of bank credit. However, this proportion has increased to one-fourth, indicating a notable acceleration in credit delivery by NBFCs compared to banks. ?

?

They have emerged as a preferred option for numerous underserved sectors, given how they embraced technology in a big way to expedite and streamline their reach and credit delivery process. But this has also brought systemic risk, complexity, and interconnectedness —?the reason why RBI has of late been engaging with this sector more often than before.?

? ?

In a recent address, a deputy governor of RBI expressed concerns over NBFCs having the lowest average number of compliance staff relative to their size compared to commercial and cooperative banks, albeit increasing complexity of risks. Despite regulatory efforts aimed at securing the autonomy of these functions, he highlighted cases where heads of assurance functions held subordinate positions within the hierarchy or lacked direct access to the Board. Moreover, he noted instances of ‘dual hatting’ where individuals simultaneously hold multiple roles, compromising the effectiveness and independence of assurance functions, consequently increasing the vulnerability of NBFCs to heightened risks.?

Operational risk — a distinct and controllable risk category?

?

Although banks and NBFCs are increasingly adopting automation to enhance efficiency and scalability, operational risk remains intrinsically difficult, for a number of reasons. In digital lending, for instance, there’s an increased reliance on rule-based credit engines to accelerate the growth of lending portfolios. ?

?

However, the catch is that these models are only as good as the data and criteria upon which they are built. Measurement remains difficult, and risk teams still face challenges in bringing together diverse sources of data. Further, overreliance on historical data or algorithms leads to oversights or inaccuracies in credit assessment, particularly in dynamic or evolving market conditions. ?

?

To not be blinded by these models, you need rule engines that have an advanced analytics & monitoring layer supplemented by ‘shadow testing capabilities’ to help risk teams maintain a clear-eyed perspective about the health of their portfolios and potential areas of growth. ?

?

Having closely watched how losses from operational risk transpire, the gaps in the existing systems and processes have been all too clear to us. ?

This is why we ventured into building Sentinel — a no-code business rules engine designed to go beyond ‘live data streams and credit decision automation’ to empower risk teams with easy deployment of policies, ability to test new strategies in live environment, granular visibility into digital lending operations across partner channels, and deep analytics.?

?

We believe that those who understand the business best (assurance functionaries) should have full control over decision-making. Currently they are tied down by IT dependency and technological constraints, limiting their ability to respond at speed to changes, be it regulatory, business-related, or macroeconomic factors — exactly what we have been trying to solve for at FinBox. ?

?

Given the new forces creating new demand for operational risk management, I’d love to know how you see the risk function evolving and the kind of features you’d like to see in your rules engine. ?

Cheers!?

Rajat?