Regulators warn of the impact of concentration risks to bank operations
“If you owe the bank $100 that's your problem. If you owe the bank $100 million, that's the bank's problem.” - J. Paul Getty
The late industrialist well characterized the value of diversifying investments. Banks serve their depositors and shareholders best by avoiding highly concentrated financial risks. And yet, many of these same organizations are facing similar operational risks as a result of their reliance on a small number of dominant vendors.
For example, some 90% of banks and credit unions in the U.S. rely on one of three “core processors.” This concentration of services limits operational capabilities compared to large, well resourced banks, and also creates systemic risks from concentration of data stores. This recent article from WSJ demonstrates the specific challenges faced by smaller banks’ reliance on these major core processors.
Regulators, too, have begun to focus on vendor concentration as an operational risk concern. The OCC’s semiannual risk report from December warns that an “increased reliance on a limited number of entities creates concentrations that increase systemic risk.” This regulator also includes the evaluation of concentration risks as part of its examination handbook as it pertains to geographic concentrations and vendor concentrations. Among critical services banks must be mindful of are transaction processing and housing sensitive customer information. In short, a security breach at one of these vendors could expose an unprecedented volume of depositor’s data.
So how should IT organizations at banks and regulators address these growing concerns before they cause the types of operational risks akin to financial risks of undiversified investment portfolios?
FINRA offers guidance on how to manage the financial concentration risks that can be illustrative to the analogous operational concentration risks faced by IT organizations. Their advice: (1) diversify, (2) rebalance regularly, (3) look "under the hood" of collective funds like ETFs, and (4) know how easily you can sell investments.
Viewed through the eyes of a data manager these principals take the following forms:
Diversification can be easier said than done. Internally built systems, like a data warehouse build by a Virginia bank as described in the WSJ article, can achieve diversification but is often prohibitively expensive.
Rebalancing investments requires a continuous evaluation of a portfolio and the ability to address concentrations that arise. For an IT organizations rebalancing can most notably take the form of spreading data or services across different vendors or geographic locations. Identifying the need for rebalancing will come from periodic diligence process that should prioritize critical data and any changes in its criticality to business operations. Possible scenarios calling for rebalancing include unbalanced growth of data volumes (how much scale out can in house systems take before new systems are necessary?) or in the case of external vendors, have any business changes affected the concentration or magnitude of risk beyond acceptable limits (mergers among vendors or poor financial performance).
Looking “under the hood” of IT solutions means conducting appropriate diligence on 3rd and 4th party vendors. When AWS’ east coast data center experienced a service outage in early 2017 many of the internet’s top consumer facing services were made unavailable for part or all of the five hours service disruption. This cascading effect can plague unprepared organizations that may find their redundancy plans include dependencies on the very services that run their primary systems. Careful diligence of SaaS vendors can prevent such mishaps.
Liquidity risks in investments are analogous to the risks of vendor lock in faced by IT organizations. Limiting these risks can be accomplished by forethought in the technical design that may hinder or facilitate easy vendor migration and in thoughtful negotiation of vendor contracts.
These common sense steps can help firms avoid concentration risks in their IT operations.
What operational challenges has your organization faced with the current concentration of vendor services? Is there anything your organization is doing to limit its exposure to the systemic risks posed by these concentrations?