close

Enter

Log in using OpenID

Chartis RiskTech 100® 2015

embed
RiskTech®
2015
Research partners
Media partner
RiskTech
S P OT L I G H T O N R I S K T EC H N O LO GY
December 2014
About Chartis
Chartis is the leading provider of research and analysis covering the global market for risk management
technology. Our goal is to support enterprises seeking to optimize business performance through better
risk management, corporate governance and compliance. We help clients make informed technology
and business decisions by providing in-depth analysis and actionable advice on the broad spectrum of
risk and compliance technology offerings. Areas of expertise include:
ChartisResearch
• Credit risk
• Operational risk and governance, risk and compliance (GRC)
• Market risk
• Asset and liability management (ALM) and liquidity risk
• Energy and commodity trading risk
• Financial crime including trader surveillance, anti-fraud and anti-money laundering
• Insurance risk
• Regulatory requirements including Basel 2, Basel 3, Dodd-Frank, EMIR and Solvency II
Chartis is solely focused on risk and compliance technology giving it significant advantage over generic
market analysts.
Chartis has brought together a leading team of analysts and advisors from the risk management and
financial services industries. This team has hands-on experience of implementing and developing risk
management systems and programs for Fortune 500 companies and leading consulting houses.
Chartis Research is authorized and regulated in the United Kingdom by the Financial Conduct
Authority (FCA) to provide investment advice.
Visit www.chartis-research.com for more information.
Join our global online community at www.risktech-forum.com
© Copyright Chartis Research Ltd 2014. All Rights Reserved.
No part of this publication may be reproduced, adapted, stored in a retrieval system or transmitted in any form by any means,
electronic, mechanical, photocopying, recording or otherwise, without the prior permission of Chartis Research Ltd.
The facts of this report are believed to be correct at the time of publication but cannot be guaranteed.
Please note that the findings, conclusions and recommendations that Chartis Research delivers will be based on information
gathered in good faith, whose accuracy we cannot guarantee. Chartis Research accepts no liability whatever for actions taken
based on any information that may subsequently prove to be incorrect or errors in our analysis. See Chartis “Terms of Use” on
www.chartis-research.com.
RiskTech100®, RiskTech Quadrant® and The Risk Enabled Enterprise® are Registered Trade Marks of Chartis Research Limited.
Unauthorized use of Chartis’s name and trademarks is strictly prohibited and subject to legal penalties.
2
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
About our partners
Accenture is a global management consulting, technology services and
outsourcing company, with more than 305,000 people serving clients in more
than 120 countries. Combining unparalleled experience, comprehensive
capabilities across all industries and business functions, and extensive research
on the world’s most successful companies, Accenture collaborates with clients
to help them become high-performance businesses and governments. The
company generated net revenues of US$30.0 billion for the fiscal year ended
Aug. 31, 2014. Its home page is www.accenture.com
EY is a global leader in assurance, tax, transaction and advisory services. The
insights and quality services we deliver help build trust and confidence in the
capital markets and in economies the world over. We develop outstanding
leaders who team to deliver on our promises to all of our stakeholders. In so
doing, we play a critical role in building a better working world for our people, for
our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of the member
firms of Ernst & Young Global Limited, each of which is a separate legal entity.
Ernst & Young Global Limited, a UK company limited by guarantee, does not
provide services to clients. For more information about our organization, please
visit ey.com.
EY’s Financial Services advisory practice has dedicated globally integrated teams
specializing in Financial Crime, Financial Crime Technology, and Information
Security. We draw on deep industry knowledge and technical skills to deliver
solutions in areas including Anti-Money Laundering, Know Your Customer,
Sanctions, Fraud Detection, Trader/Market Surveillance and Cyber Security. Our
services include risk assessment, regulatory response, target operating models,
technology strategy, model development and optimization technology delivery,
remediation, controls effectiveness testing and independent review.
RiskTech
S P OT L I G H T O N R I S K T EC H N O LO GY
With over 79,000 registered members, RiskTech Forum (www.risktech-forum.
com) is the leading independent information resource for the global risk
technology community. RiskTech Forum is dedicated to the role of technology
as an enabler for risk management. It aims to build the premier network of risk,
compliance, and technology professionals and to act as a single hub for high
quality research and news relating to risk technology.
RiskTech Forum provides free access to over a thousand research papers, videos
and opinions. The content covers multiple industries including banking, capital
markets, insurance, and corporates. It also covers multiple risk and technology
subjects, including market risk, credit risk, operational risk/GRC, financial crime,
regulatory risk, risk analytics, and data management. For more information, visit
RiskTech Forum at www.risktech-forum.com
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
3
Contents
1.Foreword
5
2.Overview
6
3. Key trends
8
4. Re-organizing for today’s cyber threat
13
5. Tackling financial crime through integrated risk and compliance
18
6. RiskTech100® rankings 2015
28
7. Category winners
31
8. Appendix A: Research methodology
32
9. Appendix B: How to read the RiskTech100® rankings
33
10. How to use research and services from Chartis
35
11. Further reading
37
List of figures and tables
Figure 1: RiskTech100® research taxonomy
6
Figure 2: Geographical distribution of RiskTech100® companies
7
Figure 3: Convergence of fraud risk and IT security
13
Figure 4: Framework for integrated fraud risk and IT security management
16
Figure 5: Financial intelligence unit
19
Figure 6: Anti-fraud and AML integration
20
Figure 7: Bringing together data, models and workflow into common methodologies
21
Figure 8: Current FCRM processes
22
Figure 9: Important challenges to successful FCRM
23
Figure 10: The customer life cycle
24
Figure 11: FCRM expenditure
26
Figure 12: Example target architecture for integrated financial crime risk and compliance
management
26
Figure 13: RiskTech100® research methodology
32
Table 1: 33
4
RiskTech100® assessment criteria
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
Foreword
Welcome to the Chartis RiskTech100® report. Now in its ninth year, the RiskTech100®
is globally acknowledged as the most comprehensive study of the world’s most
significant risk and compliance technology companies. This year we’re delighted
to have additional insight from our research partners, Accenture and EY. In chapter
four, Accenture shares a perceptive analysis of how leading banks are tackling cyber
threats by integrating their fraud risk management and IT security capabilities. EY’s
point of view on the role of integrated risk and compliance processes and systems
for tackling financial crime can be found in chapter five.
Over the last twelve months, integrated risk management has emerged as a central
theme for many of the companies we’ve spoken to, with leading financial and nonfinancial firms looking to combine their risk and compliance capabilities across multiple
risk classes. Often the motivation is to reduce cost and/or complexity – “risk and
compliance simplification” is a common term that we hear from CROs – but the ultimate
benefit is better risk management. Consistent taxonomies, methodologies and systems
drive better decision-making and better alignment to board-level risk appetite.
Of course, the concept of integrated risk management is not new; I remember seeing
presentations on it over 10 years ago, post Barings, LTCM and Enron! The difference is
that many of the enablers for integrated risk management are now better understood.
Enhanced data aggregation, integrated analytics, workflow and reporting have created
the opportunity to move from concept to reality. There’s no doubt that regulation
helps; large fines and new capital and reporting requirements have acted as a catalyst
for action. That said, our research over the last twelve months suggests there is a
danger that, in certain domains and geographies, the regulatory focus is leading to the
‘box-ticking’ behavior that we last saw during the post-Enron Sarbanes-Oxley period,
with firms falling short of realizing the full benefits of better risk management.
On the supply side, cloud-based risk and compliance solutions dominate the
product roadmaps of many of the leading vendors, while Big Data is central to their
communications. Most of the RiskTech100® vendors’ growth strategies are dominated
by solutions for regulatory compliance and, with time-to-compliance a key
differentiator, those with agile and configurable capabilities have a clear advantage.
As ever, the Achilles’ heel for most vendors is post-sales implementation and support.
Both buyers and sellers of risk technology consistently underestimate the data
integration and system configuration challenges – which bring us back to the benefits
of cloud-based delivery! The trend for strategic alliances, mergers or acquisitions
continues as vendors look to enhance their capabilities and establish new channels
for expanding their reach. As such, we’ve noted a coming together of software and
content players aiming to provide a one-stop-shop for risk and compliance.
In addition to tracking the latest trends and developments in the risk technology
marketplace, this report highlights some of the most dynamic and innovative
vendors for key sub-segments and categories (see Category Winners on page 31).
I trust that it will prove both valuable and insightful in the year ahead.
Peyman Mestchian
Managing Partner, Chartis
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
5
Overview
The RiskTech100® companies are drawn from a range
of risk technology specialisms, meeting the needs of
both financial and non-financial organizations. However
they share a number of qualities that rank them among
the top 100 risk technology providers in the world.
The rankings are drawn up based on the following
classifications:
Figure 1: RiskTech100® research taxonomy
Horizontal solutions:
• Credit risk
• Market risk
• Liquidity risk & ALM
• Energy & commodity
Trading
• Financial crime
• Operational risk & GRC
• Regulatory reporting
Vertical sectors:
•Banking
• Trading & capital markets
• Fund & asset management
•Insurance
• Corporations (non-financial)
RiskTech®
2011
Chartis categories:
•Functionality
• Core technology
• Organizational strength
• Customer satisfaction
• Market presence
•Innovation
Geographical sectors:
• North America
• Central & South America
•Europe
•Asia-Pacific
• Middle East & Africa
2011 Category Winner
Credit Risk
6
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
The RiskTech100® only includes companies that sell
their own risk management software products and
solutions. While many provide professional services and
consulting offerings to support the implementation
and use of their software solutions, pure consulting or
professional services firms are excluded from this study.
The biggest rising firms are US-based Safe Banking
Systems, up 24 places to 66th, and India’s Polaris FT, up
22 places to 52nd. Numerix returns to the top 20 at 19.
New entrants to the RiskTech100® are Broadridge at 48,
Bloomberg at 49, Fenergo at 69, CustomerXPS at 87,
OpenGamma at 90, NCR Alaric at 95 and iDetect at 100.
This year, two companies hold the top position in the
RiskTech100®. IBM is once again ranked number one
but is joined by SAS, which moves up from second
place. SunGard retained third place, posting high scores
for functionality and core technology.
Once again, the rankings are dominated by US-based
firms, as shown in Figure 2. The UK is the next most
common location with 19 companies. Next are France
and Canada with 6 companies, while India moves up
from the 8th most featured country to the 5th, with 5
companies.
Figure 2: Geographical distribution of RiskTech100® companies
US
UK
Canada
France
India
Ireland
Germany
Australia
Austria
Belgium
Denmark
Finland
Israel
Italy
Luxemburg
Netherlands
Switzerland
UAE
0 102030 4050
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
7
Key trends
Financial institutions (FIs) continue to dominate
demand for risk technology solutions, despite
tightening their overall IT budgets. Our research shows
that risk IT spending continues to increase within
these budgets, taking larger shares of the available
funding – demonstrating the continued focus on risk
management.
The market for risk technology is staggered in terms of
maturity; banks and capital markets have traditionally
been leaders in risk technology investment, and
therefore have the most mature technology solutions.
However, other industry sectors such as insurance,
energy, commodities and government are also
planning to invest more on risk technology.
Integrated governance, risk &
compliance
The vision and promise of integrated governance,
risk and compliance (GRC) has been around for over
a decade. However, over the last 18 months, we have
observed financial and non-financial organizations
making good progress from vision to execution. This
trend is driven by multiple regulatory requirements,
the need to manage the increasing cost of compliance,
and firms’ desire to reduce complexity. For example,
we have seen a number of local and global FIs, on both
sides of the Atlantic, merging their risk and compliance
functions. Furthermore, a number of leading consulting
firms – including some of the “Big Four” advisory firms
– are aggressively promoting integrated GRC as best
practice.
Few firms have been successful in any kind of a ‘big
bang’ approach for integrated GRC. Instead, it requires a
phased modular approach. Common starting points we
have observed include integrating:
• Operational risk and compliance
• Market risk and credit risk
• Fraud risk and anti-money laundering (see chapter 5
by EY)
• Fraud risk and IT security (see chapter 4 by
Accenture)
• Risk and finance
8
Frequently it is the latter – integrating risk and finance
– that is adopted as a strategic starting point. The
alignment of data, metrics and processes between
risk and finance functions is seen by many firms
as a fundamental requirement. A small number of
RiskTech100® vendors have taken up this trend as
an opportunity, and are providing integrated data
management, workflow, analytics and reporting
platforms as enablers. The ultimate goal here is an
enterprise framework for risk-based performance
management supported by a robust and flexible
technology environment.
Risk data aggregation & reporting
Providing senior management with clear, relevant
information about the whole enterprise has always
been a problem for organizations in every sector.
Risk information is no exception, and large, multinational institutions with multiple technology systems
still struggle to gain a single view of the financial
position and risk faced by the organization. Rectifying
this situation is a vital step towards effective risk
management and improving performance.
This challenge is especially difficult for FIs. The
increased speed and volume of transactions have led
to exponential growth of the ‘three Vs’ of data (volume,
variety, velocity), and firms must process and respond
to this data quickly to tackle risks and seize market
opportunities. Regulatory pressures only add to the
burden. In November 2011, the Financial Stability Board
published policy measures to address conduct by
systemically important financial institutions (SIFIs), and
named 29 global systemically important banks (G-SIBs).
These institutions must meet stricter regulatory
requirements for data aggregation, risk governance and
internal controls. The US Financial Stability Oversight
Council (FSOC) also designated eight key financial
system infrastructure entities as SIFI “utilities”, as well as
a number of non-bank financial companies, including
internationally active insurance companies. This has
been mirrored by regulators around the world.
It is important that firms do not underestimate the
scale of the challenge that they face. The 2012 Basel
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
Committee document (BCBS-239) Principles for effective
risk data aggregation and risk reporting is frequently
referred to as an industry guideline and can be used
for baseline capability measurement for a range of risk
reporting activities.
Covering a wide variety of topics and instances, the
guidance relates to four interconnected areas:
• Overarching governance and infrastructure – The
Board must be aware of any weaknesses in the
technology architecture, and the infrastructure
should support aggregation and reporting across
silos and in times of stress.
• Risk data aggregation capabilities – Systems need to
generate accurate aggregated data in an automated
and on-demand fashion.
• Risk reporting practices – Firms must be able to
submit reconciled, validated, accurate reports that
cover all material risks, with an awareness of gaps.
• Supervisory review, tools and cooperation –
Supervisors will review compliance and should
be able to restrict risk-taking if concerned by data
deficiencies.
Chartis predicts that, in due course, these requirements
and standards will trickle down from Tier 1 global
institutions to Tier 2 firms, although the levels of
complexity will always be higher for the larger firms.
This will be a core area of research for Chartis in 2015.
Basel 3
Basel 3 continues to be a catalyst for risk technology
initiatives and expenditure across many regions.
Basel 3 guidelines require FIs to perform more
calculations and submit more data to regulators than
ever before; all the while meeting greater pressure to
increase their capital, liquid assets and collateral. This
increased workload means many FIs have to allocate
limited risk and finance resources to regulatory tasks
rather than pursuing business goals.
To adapt to resource-squeeze and the impact of new
regulations, financial institutions need to make a
number of changes to improve their performance:
• Improve capital management
• Integrate risk and finance
• Integrate liquidity and collateral management
• Implement enterprise-wide risk management
• Implement enterprise-wide stress testing
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
Rather than running before they can walk, firms should
consider which elements of a Basel 3 system they need.
Implementing an enterprise-wide system may be useful
for banks that have made little progress so far. More
advanced firms may only need specific components,
e.g. liquidity risk reporting, and should assess the pros
and cons of ‘buy vs. build’. Either way, systems will need
to be flexible enough to integrate with others, and to
adapt to future regulatory changes.
Solvency II
Insurance firms across Europe and beyond are dealing
with the challenges of implementing a set of risksensitive solvency and capital requirements that come
under the Solvency II umbrella. We have noted that key
trends in this market include:
• The rising cost and complexity of implementing
Solvency II
• Most firms are moving from Pillar I to Pillar 2
requirements, particularly on ORSA (Own Risk and
Solvency Assessment)
• Vendor solutions specifically designed for the
insurance industry are winning against generic
solutions, which are often banking-focussed
• Data management remains the number one obstacle
to successful implementation
Conduct risk
There continues to be an increased global focus on the
behavior of FIs with respect to their customers – driven
by regulation from around the world, and following
on from scandals such as mis-selling of insurance and
mortgage products, and market abuse such as LIBOR
rate-fixing. Incredibly, global fines for conduct-related
failures reached over $250 billion from 2009-2014.
FIs are therefore beginning to examine how to define
and manage conduct risk across the enterprise, from the
establishment of culture and governance processes, to
the implementation of new technology platforms. Many
firms see conduct risk as a sub-set of operational risk.
Indeed, according to an OCC (Office of the Comptroller
of the Currency) review of bank risk, operational risk has
overtaken credit risk as the most important risk type.
However, conduct risk is not only an issue for the
financial services industry, as recent cases of bribery in
the defense industry and accounting fraud in the retail
industry go to show.
9
Evolution of crime analytics
Until recently, most small and mid-sized firms could
not afford the expertise and technology of advanced
crime analytics. Up to now it has been accessible only
to the top tier of finance and government institutions.
Also, the analytical tools themselves had traditionally
been designed for advanced (PhD level) users and not
accessible by business users/generalists.
However, this picture is starting to change. Innovations
in areas such as cloud-based analytics, new visualization
tools and open analytical discovery toolkits are putting
crime analytics in the hands of business users.
Further advances include the use of artificial
intelligence, unstructured data analytics, in-memory
and real-time computing and open-source data/
content.
Risk & compliance solutions
as-a-service
The idea and promise of risk and compliance as-aservice has been around for some time. Already a
number of sub-segments (e.g. buy-side risk analytics)
have mature hosted and cloud-based solutions.
However, over the last twelve months, we have
observed a significant shift in demand towards hosted
risk and compliance solutions across more industry
verticals and risk classes. The technology vendors are
responding to this demand by developing horizontal
software-as-a-service solutions in such segments as
Know Your Customer (KYC), Anti Money Laundering
(AML), GRC, market risk and regulatory reporting.
Risk technology expenditure in the US
The US is the fastest growing market for risk IT
expenditure. This is driven by a raft of new financial
services regulations coupled with stringent local
enforcement.
Risk IT spending priorities in the US include:
• Capital adequacy infrastructure, with particular focus
on credit risk
• Enterprise stress testing
• Model risk management
• Liquidity risk management
• Operational risk management
• Collateral management
10
New definitions of emerging market
banks
Our research identified clear regional and geographical
differences in risk management and compliance trends.
However, demand for risk technology in the emerging
markets is not segmented along the traditional regional
lines of Asia-Pacific, Americas, Middle-East and Africa.
A more representative segmentation of the emerging
markets is by maturity, as outlined below:
1. Advanced – making good progress towards
implementing Basel 3, demonstrating substantial
knowledge and expertise, and focusing on
comprehensive stress testing and advanced risk
analytics. Countries in this market segment include:
Brazil, Malaysia, Mexico, Saudi Arabia, Singapore and
South Africa.
2. Intermediate – post-Basel 2 but pre-Basel 3, with
some in-house expertise yet lacking more advanced
know-how. Conducting basic stress testing and
in the process of attaining skills and technology
for the more sophisticated requirements of Basel
3. Countries in this segment include China, Hong
Kong, India, Indonesia, Philippines, Russia, South
Korea, Thailand and Turkey.
3. Developing – still implementing Basel 2, with a
focus on putting credit risk management systems
and processes in place and learning about
advanced operational risk management. Little or no
attention given to stress testing, and government
enforcement of Basel regulations tends to be
relatively weak. Countries in this segment include:
Argentina, Egypt, Ghana, Kenya, Nigeria, Qatar, UAE,
Uruguay and Vietnam.
Partnerships, mergers and acquisitions
In the last twelve months, Chartis have observed and
advised on a number of high profile strategic alliances,
mergers and acquisitions in the risk technology
marketplace. The key drivers for most of these
transactions are:
• Access to new product functionality and/or
technology capabilities
• Access to innovative intellectual property (IP) or risk/
compliance content
• Access to new channels to market, e.g. new
geographical or industry verticals
• Speed to market
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
• Becoming a one-stop-shop for risk and compliance
solutions
Selected transactions and partnerships from the last
twelve months include:
Reed Elsevier’s acquisition of FircoSoft – FircoSoft
will become part of Accuity, Reed Elsevier’s provider of
global payment routing data and compliance solutions
to banks and businesses worldwide. The acquisition will
extend Accuity’s portfolio of next-generation products
and solutions covering AML, KYC and regulatory
compliance. The estimated value of the transaction is
€150m.
Intercontinental Exchange’s (NYSE: ICE) acquisition of
SuperDerivatives – Founded in 2000, SuperDerivatives
provides risk management analytics and systems
across multiple asset classes – including interest rates,
FX, credit, equities, energy and commodities – to
customers such as banks, asset managers, corporations,
central banks, auditors and brokers. The acquisition
will accelerate the expansion of ICE’s comprehensive
multi-asset class clearing strategy. Terms of the all-cash
transaction included a purchase price of approximately
$350 million.
MSCI’s acquisition of GMI Ratings – GMI Ratings is a
provider of corporate governance research and ratings
on over 6,000 companies worldwide. Clients of GMI
Ratings include leading institutional investors, banks,
insurers, auditors, regulators and corporations seeking
to incorporate environmental, social and governance
(ESG) factors into risk assessment and decision-making.
GMI Ratings was formed in 2010 through the merger of
GovernanceMetrics International, The Corporate Library
and Audit Integrity. The addition of GMI’s corporate
governance research and ratings will enable MSCI to
offer its clients a depth and quality of coverage across
all three pillars of ESG research. The estimated value of
the transaction is $15m.
ACI Worldwide’s acquisition of Retail Decisions
(ReD) – ACI Worldwide (NASDAQ: ACIW), a provider of
electronic payment and banking solutions, completed
the acquisition of Retail Decisions (ReD), a provider of
fraud prevention solutions. The combination of ACI and
ReD results in a comprehensive merchant retail risk and
customer experience management solution. Under the
terms of the agreement, ACI Worldwide acquired ReD
for an all-cash purchase price of $205 million.
IBM’s acquisition of CrossIdeas – IBM acquired
CrossIdeas, a privately owned provider of security
software that governs user access to applications and
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
data across on-premise and cloud environments. The
financial terms were not disclosed. IBM has now made
more than a dozen acquisitions in security over the past
decade and invested extensively in dedicated research
and development in the security space.
FIS’s acquisition of CMSI – CMSI is a leading provider of
consumer loan origination and portfolio management
software to a range of financial institutions within
the US and Canada ranging from community-based
institutions to large, international lenders. The
acquisition expands FIS’s total lending offering to North
American financial institutions and creates an end-toend loan life cycle management offering for direct and
indirect lenders across North America. The terms of the
transaction were not disclosed.
Deutsche Börse’s acquisition of Impendium
Systems – Deutsche Börse Market Data and Services
acquired Impendium Systems, a London-based firm
that deploys cloud-based software solutions to help
customers achieve regulatory compliance in Europe,
North America and Asia-Pacific. The deal represents
an important step in Deutsche Börse’s growth strategy
of integrating technology and data offerings to better
serve client needs.
GoldenSource and CTI form strategic alliance to
provide FATCA solution – GoldenSource, a supplier of
enterprise data management solutions for the securities
and investment industry, announced a strategic alliance
with Compliance Technologies International (CTI), a
provider of tax withholding and compliance software.
The aim of the partnership is to provide a complete,
end-to-end, FATCA solution for financial institutions.
Misys and FircoSoft form alliance to tackle the
dangers of dual-use goods and financial crime in
trade finance – More than 200 banks rely on Misys
FusionBanking Trade Innovation to manage their trade
finance operations. Now it is combined with FircoSoft’s
solutions for sanctions filtering, banks are able to screen
international trade messages for sanctions purposes
as well as monitoring incoming or outgoing payments,
throughout the trade life cycle.
Markit and Genpact launch KYC services – Citi,
Deutsche Bank, HSBC and Morgan Stanley work with
Markit and Genpact to design new service to centralize
client on-boarding and KYC data management. The
partnership will operate as a joint venture and will
serve customers from centers in London, New York,
Dallas, Bucharest, Krakow, Bangalore and Noida. It
builds on expertise and technologies offered by Markit
and Genpact, including Genpact’s Remediation as a
11
Service platform, which offers workflow, document
management, analytics, reporting, traceability and
governance, and Markit’s Counterparty Manager
service.
Trusteer to integrate with Fiserv Retail Online
and Business Online banking solutions – Fiserv,
Inc. (NASDAQ: FISV), a global provider of financial
services technology solutions, and Trusteer, an IBM
company and a provider of endpoint cybercrime
prevention solutions, announced a partnership to
provide integrated fraud prevention services designed
to protect financial institutions and their customers
against cyber-attacks. As part of the agreement,
Trusteer technology will be available to Fiserv online
banking clients.
12
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
Re-organizing for today’s
cyber threats
Converging fraud risk management
with IT security
The threat for banks however, is that, in tandem
with the technological developments underpinning
an ever increasing set of new service offerings,
organized criminals have been developing multipronged strategies to exploit fresh weaknesses and
vulnerabilities for fraudulent gain. If we were to think of
financial institutions as homes, and organized criminals
as potential burglars, then each time banks implement
a new product or open up a new channel for customer
interaction, this effectively adds a new window or door
that could serve as an entry point for those criminals
and therefore needs to be secured.
Banks are facing an urgent need to bring the historic
silos of fraud risk management and IT security more
closely together to combat mounting data security and
cyber threats from increasingly well organized criminal
entities.
The past two decades have seen an accelerated rate
of product development and technology adaptation
within the financial services sector. From the
introduction of the first online banking service in the US
As the IT systems supporting banking services have
in 1994, the industry has developed and implemented
1
become more advanced from mainframes in the 1960s,
increasingly innovative services. Customers today
to today’s Web 2.0 and cloud technologies, criminals
benefit from contactless card payments, mobile
have and
become
more sophisticated in their abilities to
banking apps and person-to-person
payments, toof
name
Convergence
Fraud Risk
IT Security
target
and
penetrate
these systems. Today’s organized
just a few of these innovations.
criminals are deploying a wide array of attack methods,
Figure 3: Convergence of fraud risk and IT security
Accelerating rate of product development
Bank of America
credit card
Cheque
guarantee cards
1958
1950
Diners
charge card
Development
of ACH
1966
1966
Barclaycard
launched
Introduction of
home banking
1970
1970
Rollout of
ATMs
Microsoft includes online
banking in finance software
1980
1980
Rollout of
debit cards
Contactless
card transactions
1994
1994
First online
banking website
Banking
apps for smart phones
2007
2003
Chip and PIN
trials begin
2010
2008
2014
Faster payments Person-to-person
rapid or instant clearing
payments: paym
Driving evolving vulnerabilities to fraud
Fraud risks
Risk Management
• Credit risk
• Market risk
• Operational risk
• Financial crime
• Conduct
Integration of risk and IT
Check Fraud
Lost and stolen cards
Application fraud
Mail non-receipt fraud
Account take-over
Counterfeit card fraud
Cash machine / ATM fraud
Historic separation
of domains
Phone banking fraud
Fake banking apps
Phishing websites
Industry responses
eg: Chip & PIN, EMV,
3-D Secure
Evolving product, business and IT risks
driving the integration of risk and IT
IT risks
Technology responses
eg: data analytics,
sophisticated profiling
Advanced persistent threats
IT Security
• Policies
• Physical controls
• Anti-virus
• Access controls
• Device hardening
• Segmentation
IT evolution
Social engineering
Card not present fraud
Resilience
Remote access trojans
Key logging
Drive by downloads
Disaster recovery
Intrusion
Screen capturing
Man-in-the-middle attacks
Distributed denial of service
Mainframe
Mini
Copyright © 2014 Accenture All rights reserved.
Source: Accenture analysis, November 2014
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
Client - server
Web services
HTML injection
Man-in-the browser attacks
Bring your own device
Proxy servers, DNS poisoning
Cloud
1
13
such as screen capturing, man-in-the-middle attacks,
Trojans, falsifying mortgage applications, card cloning
and embedding sleepers within the workforce, among
many others.
For financial institutions, particularly in the areas of
retail banking and payments, there are enormous
opportunities to be gained from enhancing their
digital offerings to customers. The overall experience is
improved as customers gain greater flexibility in how
they manage their finances, while at the same time banks
are able to lower their operating costs, and also offer
more personalized products and services to customers
through better use of data and analytics capabilities.
The challenge for banks however, is to implement these
new digital models at speed so they can maintain a
competitive edge in the market, but without putting
security at risk. To date, the speed at which many banks
have evolved their technology and service offerings
has been so rapid that their counter-fraud strategies
have struggled to keep pace. And looking forward, the
expectation is that the pace of change will only increase.
The need for convergence
Traditionally, banks have managed different categories
of fraud within silos. For example, there may be specific
teams dedicated to check fraud, mortgage fraud,
credit card fraud and so on. But often, these teams
are not sharing data with one another, and they may
be reporting into individual heads of fraud for each
business line. Ultimately, the chief risk officer (CRO)
would tend to be at the top of this umbrella.
Meanwhile, IT security issues, such as those concerned
with systems access, tend to be managed solely by the
IT function, often under the jurisdiction of the chief
information officer (CIO).
As traditional risks converge with new risks such as
cyber threats, banks are becoming exposed to security
threats that can fall between the cracks of the various
silos. Organized criminals are targeting several channels
at the same time, aware that many banks are unable to
connect the dots and spot wider patterns of behavior
as a result of these historic structures and the lack of a
holistic approach to risk and security.
Furthermore, legacy information security, event log
management, and fraud and risk management software
solutions, which still form the backbone of many risk
and security architectures, lack the ability to provide
deep insights into real-time user behaviors, transactions
and data.
If security solutions remain siloed and banks continue
to extend their offerings, then sophisticated criminals
Digital disintegration – cyberattack as a global risk
The threat of cyberattack is no longer something
that can be addressed by individual organizations
in isolation. As the World Economic Forum notes
in its Global Risks 2014 report, the increasing
interconnectedness of every part of the world’s
societies and economies, that rely on the same
infrastructure, hardware and software standards raises
the prospect of disruptions having systemic impact.
In future, cyber governance must become a combined
international effort. For instance, the growth of the
“internet of things” means that more and more
devices are now online, widening the reach of cyber
connectivity into people’s lives across the world. This
serves to create more points of entry for attackers
and exacerbates the potential damage that could
be caused. At the same time, the complexity of
interaction between people and their “connected”
devices across the globe is making those impacts
harder to predict.
While banks and financial institutions are
14
concentrating on boosting their own organizational
defenses, what may be needed in future is
cooperation between nations, their governments
and private organizations, to counter the common
threats. Fresh thinking is required on how to
preserve, protect and govern the common good of a
trusted cyberspace.
Organizing an effective international response will not
be easy however. Recent revelations surrounding the
extent to which national security organizations have
allegedly been using the internet for spying threatens
repercussions that may make it more difficult to
prevent widespread attacks, or contain them when
they occur. If there is a breakdown of trust among
nations, it could be disastrous for cybersecurity.
In the same way that piecemeal solutions within
banks are unable to effectively combat multipronged attacks from organized criminals, solutions
undertaken without cooperation between nations will
fail to address the systemic threats that are emerging.
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
will simply run rings around them, bypassing existing
controls and protections by abusing the business logic
across multiple channels. To fight this organized crime,
banks need a sophisticated, organized approach of
their own. Developing such an approach however will
require financial institutions to concentrate more of
their budget on developing more advanced solutions
to support the future shape of the industry, rather than
focusing investments to respond to issues from past
transgressions or remediation activities.
Process
Integrating fraud risk and IT security
Another key step is to ensure that there is common
governance across risk and IT security. This will involve
aligning risk and performance indicators. At the same
time, policies must be realigned to ensure that they
reflect the new aggregation of responsibilities across
the two functions. Underpinning this will be a need to
re-engineer the management information processes
and the key metrics being applied.
In many countries, recently introduced banking
regulations are driving firms to evaluate their risk
management frameworks from a more integrated
perspective than ever before.
At the same time, leading banks are responding
quickly to the emerging threats posed by organized
criminals by integrating their approach to fraud risk and
cyberattack across the organization.
As they respond to these twin pressures, financial
institutions will need to address challenges around
people, processes and technology.
People
Banks must ensure that there is formalized knowledge
sharing between those in the fraud risk function and
the IT security function. In addition, they will need
to align behaviors around risk management across
the organization. Part of the solution will involve
adjusting incentives and targets to ensure that both IT
security and fraud risk personnel are measuring their
performance and effectiveness in this area in ways that
are aligned for the desired outcomes of the bank.
The differing cultures, experiences and backgrounds
of the stakeholders will also need to be addressed, in
order to establish a common level of understanding
and use of terminology (for example, a unified
taxonomy for risk and controls). The importance of an
effective communications strategy in achieving this
level of change cannot be over emphasized.
The wider business must also ensure that these two
functions are in a position to be proactive, rather than
reactive as has historically been the case. For instance,
they need to be involved earlier in decision-making
processes, especially around the future development of
products and services – rather than being engaged at the
end of a decision chain. Developing a product or service
that cannot be supported does not benefit anyone.
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
At present, many banks manage fraud cases through
separate units, using different system tools to log
activity. However, this approach does not reflect the
way fraudsters are behaving, as they attack the bank
from multiple angles in a coordinated manner. Banks
must therefore shift to enterprise case management,
enabling them to look at every fraud or risk case that
arises within the organization as a single portfolio, to
protect themselves more effectively.
Technology
The foremost technology priority for banks is to ensure
that organizational data is freed from silos and shared
upon common platforms. This undertaking must
encompass both structured data, such as transactional
and account data, as well as unstructured data, such as
email, video, image and social media.
Ensuring that common data standards are enforced
across functions will be another key aspect of this
shift: at present, a lack of common oversight around
data management means that different standards
and taxonomies are often applied to the same data
by individual business units. In addition, without
consistency in reporting, it becomes almost impossible
for the board to project organizational risk priorities
accurately and respond appropriately. Therefore, a
single data governance framework covering fraud and
IT security is a critical success factor. For many leading
banks, the chief data officer (CDO) plays a key part in
defining the appropriate policies and procedures for
data governance.
Advanced analytics technologies provide the ability
to gain a real-time understanding of behavior and
spot anomalies that indicate threats. These analytics
must also be appropriately intuitive and accessible:
enterprise dashboards can deliver integrated fraud and
security visualization capabilities depicting key risk
and control metrics, for instance, with full drill-down
capabilities into the source data.
15
Figure 4: Framework for integrated fraud risk and IT security management
CRO
CCO
Head of security
CIO
COO
Visualization layer
Dashboard
Heat maps
Case evidence
Regulatory reports
Enterprise core management
Work flow tools
Forensic tools
Risk scoring
Ad hoc query
Detection layer
Rules engine
Predictive analytics
Big data +
big analytics
Behavioral modeling
Alert engine
Data integration layer
Point solution layer
Security data
Fraud data
OpRisk data
Cyber crime data
HR data
Customer data
Source : Chartis, November 2014
Convergence is a multi-year journey
The convergence we have discussed is a significant
undertaking and clearly cannot be achieved overnight. As
with any business change of this scale, a phased approach
will be required. And importantly, will need to be aligned
to the strategy and desired positioning of the bank.
So while the sequence of the journey will be dependent
upon each individual bank’s current structure and
culture, there are some common steps that all banks
should consider.
Gap analysis and vulnerability assessments must
be made to identify any weaknesses in controls and
potential opportunities for malicious activity. The results
of these assessments can then be used to design a
target operating model that effectively protects against
those highlighted risks. Once this has been identified, it
is important initially to pursue the low-hanging fruit to
build momentum and senior management support for
the change process. For example, it may be that existing
systems already hold some degree of shared data, so this
would be an obvious starting point.
In addition, the scale and importance of the
transformation may justify the appointment of
someone with the appropriate skillset to oversee the
change. Some large banks have begun to hire for
roles entitled ‘Head of Operational Risk Change’, for
16
instance. And in the same way that criminals today
have grown in sophistication by working together in
online networks, we expect to see increased sharing of
insight across financial institutions, and some common
platforms being established, along with laws and
law enforcement evolving to enable banks to better
collaborate and protect themselves.
While it is likely to take several years before the
desired convergence is achieved, what is clear is that
leading banks are already moving in this direction,
and Accenture and Chartis expect this trend to extend
across the industry. In some ways, financial institutions
are involved in an arms race to improve their security
defenses, but the good news is that there are multiple
players involved. The banks that are leading the pack
will naturally face fewer attacks, as criminals will
always target those with the weakest defenses. And
with financial institutions increasingly competing on
their ability to act as custodians of customer data, the
convergence of fraud risk and IT security will drive their
competitive advantage in this area in future too.
Notes
1. “How Online Banking Evolved Into a Mainstream Financial
Tool,” Motley Fool, November 9, 2014. Access at: www.nasdaq.
com/article/how-online-banking-evolved-into-a-mainstreamfinancial-tool-cm411861
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
About the Accenture contributors
Steve Culp
Senior Managing Director Accenture Finance & Risk Services
Based in Chicago, Steve has more than 20 years of global experience working with
clients to define strategy, and execute change programs across a broad spectrum
of risk management and finance disciplines. Steve is responsible for leading the
global group across all dimensions, from setting the strategic direction through to
the enablement of local teams operating across diverse markets. In addition, he
oversees Accenture’s efforts on large-scale transformation programs across Finance
and Risk for some of our most important financial services clients. Prior to his
current role he was responsible for our Global Risk Management Practice, and prior
to that he led Accenture’s Finance & Enterprise Performance consulting services
for global banking, insurance and capital markets institutions. With his extensive
experience in the financial services industries, combined with his knowledge of risk
management and the finance function, he guides executives and client teams on
the journey to becoming high-performance businesses.
Mark Daws
Managing Director Accenture Finance & Risk Services
Based in London, Mark has more than 25 years of financial services experience,
specialized in large, complex, risk, regulation and compliance, and IT enabled
business transformation client assignments and work.
His deep experience across all sectors of the financial services space includes
previous roles as a; Technology Consultant leading large and complex risk and
regulation IT implementations; a Solvency II Chief IT Architect leading the design
and implementation of Solvency ll solutions; a Forensic Technologist assisting
clients in crisis-management situations including rogue trading and sanctions
violations and; a Financial Services Regulator focusing on complex and high-profile
investigations.
DISCLAIMER: This document is intended for general informational purposes only and does not take into account the reader’s specific
circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable
law, any and all liability for the accuracy and completeness of the information in this document and for any acts or omissions made
based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such
advice from their own legal counsel or other licensed professionals.
Rights to trademarks referenced herein, other than Accenture trademarks, belong to their respective owners. We disclaim proprietary
interest in the marks and names of others.
Accenture, its logo, and High Performance Delivered are trademarks of Accenture.
Copyright © 2014 Accenture All Rights Reserved
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
17
Tackling financial crime through
integrated risk and compliance
Leading financial institutions (FIs) are
rethinking their organizational structures
to manage financial crime risk more
effectively. The integration and alignment
of risk and compliance functions will be
crucial if the financial services sector is to
address the broader sources of financial
crime risk and tightening regulation to
which it is exposed today.
FIs are becoming exposed to increasingly sophisticated
techniques used by organized criminals, who target
vulnerabilities that are opening up as large volumes
of customers perform multiple transactions across
multiple channels. Cyber threats are one part of
the equation, but FIs are grappling with criminals
who often target a number of different internal and
external channels. In addition, they must monitor
traders, sanctions and watch-lists, and deal with the
proliferating numbers of smaller financial crimes, all the
while managing tightened budgets.
At the same time, the sector is facing a significant
compliance burden as regulation of its practices
continues to tighten, and as customers and investors
demand greater transparency and integrity from
financial dealings. The introduction of the Foreign
Account Tax Compliance Act (FATCA) in the US this
18
year – as well as the subsequent intergovernmental
agreements (IGA) to follow – is just one such signal of
international intent to make FIs more accountable for
risk and compliance management on behalf of their
customers. In addition, the operational costs of financial
crime risk management are rising: the monitoring of
the multitude of channels is proving to be increasingly
expensive for firms in terms of expertise and the
establishment of Financial Crime Risk Management
(FCRM) Systems.
There have been several recent cases of large FIs being
fined by regulators and reproached in the media for
failures in their anti-money laundering (AML) and
sanctions monitoring controls, too. Given that such
financial crime is fundamental to the operations of
terrorists, drug traffickers and corrupt political regimes,
FIs simply cannot afford to risk the reputational damage
inflicted by such compliance failures.
The traditional silo-based approach to the management
of financial crime risk and compliance – whereby
separate organizational structures support individual
risk types such as money laundering, card fraud or
internal fraud – will no longer suffice. A disconnected
set of fraud or AML platforms is less likely to stand
up to attacks that cut across multiple business
lines, geographies and risk types. It is for this reason
that FIs are looking towards integrating their risk
and compliance systems. In the long term, small
incremental adjustments to systems and processes will
simply not be enough.
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
The EY point of view: The establishment of financial intelligence units
One emerging industry trend in response to
increased regulatory scrutiny is the adoption of
financial intelligence units (FIU). Financial institutions
are looking to establish or enhance their financial
intelligence units in order to better leverage disparate
sources and available internal and external intelligence
to improve the effectiveness and efficiency of their
financial crime risk management programs (Figure 5).
to design and implementation of an FIU vary
significantly across industry, FIs are recognizing the
benefits of maximizing the information available for
analysis and investigation along with standardizing
processes across lines of business, geographies and
financial crime domains (e.g., AML, fraud, bribery,
corruption, sanctions, tax evasion and cybercrime).
Longer term, FIU concepts encourage a more
proactive stance to financial crime risk management,
allowing banks to better identify and be more
adaptive to emerging trends and typologies.
The core concepts of collation, analysis and
dissemination of intelligence are highly applicable to
the current environment in FIs. While the approaches
FIU Original
Government
organizations
LoBs
Other banks
AML
Sanctions
Fraud
AML
Sanctions
Fraud
AML
Sanctions
Fraud
Transactions
Transactions
Transactions
Transactions
Customers
Customers
Customers
Customers
Corporate
Private
banking
Capital
markets
Retail
Data
Country FIU
AML
Industry
bodies
Regional FIU
Sanctions
Media
Global FIU
Monitoring
Key
Fraud
FIU
Intelligence, analysis, decision-making, governance and technology
External
intelligence
Example FIU geographic structure
Regulators / national FIUs
Figure 5: Financial intelligence unit
Potential functional scope of an FIU
Source: EY
Page 0
December 9, 2014
[Presentation title]
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
19
The business case for integrated risk
and compliance
Apart from protecting against financially damaging
attacks and regulatory fines, there are business,
compliance, efficiency and cost advantages to be gained
from integrating risk and compliance capabilities. In
a recent Chartis survey of senior executives within FIs
around the world (Figure 6), 71% of respondents agreed
that there is a compelling business case for integrating
some or all of their anti-fraud and AML systems into a
single technology environment.
A siloed approach to managing financial crime risk
makes it almost impossible for FIs to spot patterns of
behavior across the organization, which will enable
them to identify sophisticated attacks that target
multiple sources. Regulators and FIs are drawing links
between types of financial crime. Fraud and trading
violations are increasingly being regarded as predicate
offenses- those offenses whose proceeds may become
the subject of money laundering.
Opportunities for criminals to undertake multi-pronged
attacks have been expanded by the explosion of
new technologies that FIs have implemented, and
the increase of remote banking transactions through
internet and mobile channels (e.g., person-to-person
payments and mobile banking apps). This has served
to amplify the inter-connectedness of financial crimes.
For instance, most fraud crimes have some kind of
money-laundering element in them, as the proceeds of
fraud have to be placed back into the financial system,
layered with transactions to separate the money from
its source, and finally integrated, returning the money
to the criminals from a seemingly legitimate source.
A key advantage of integrated risk and compliance is
that it brings the personnel tackling different financial
crimes and compliance initiatives closer together, to
enable direct communication among teams managing
20
Figure 6: Anti-fraud and AML integration
Do you believe that there is a compelling business case for
integrating some or all of your anti-fraud and AML systems into a
single technology environment?
31%
Strongly agree
Agree
40%
Neutral
26%
1%
Disagree
Strongly disagree
2%
0%
5% 10% 15% 20% 25% 30% 35% 40%
Source: Chartis financial crime global survey
fraud risk, AML and market abuse, for instance. This also
helps organizations visualize potential financial crime
risks across business lines, and build a holistic view of
normal and abnormal behaviors.
There are several examples in the industry of how
FIs can obtain benefits from sharing intelligence and
information from different risk and compliance silos to
glean insights on financial crime risks. For example:
• Rogue trading events may have been better
understood by combining views on toxic
combinations of access with unauthorized trading
activity for individual trades.
• More comprehensive KYC and trader surveillance
information for individual broker dealer customers
may have identified toxic, large-scale Ponzi schemes
using floats generated by sophisticated check kiting
techniques earlier.
• New human and drug trafficking typologies have
benefited from sharing information between fraud
and money laundering departments.
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
Convergence of people, processes,
technology and data
• The identification of previously unidentified patterns
Until now, most FIs have been reacting to the sector’s
rapidly evolving regulatory requirements on a piecemeal
basis, meaning that some of the data and technology
being used to combat financial crime have been
duplicated across the organization. The integration of
risk and compliance is an opportunity to remove that
duplication of effort, and to bring data and analytics
together into a central and consistent environment.
• The recognition of new threats and construction of
This environment can be considered to consist of three
key building blocks that must be brought together:
data, models and workflows. These can be drawn
together into common methodologies and processes,
enabling standard operating models, and consistent
analysis across risk silos, and organizational and
geographical barriers (Figure 7).
In most FIs, separate business lines use individual case
management databases for logging and managing
risks that arise, while reporting is also done on a siloed
basis. Pooling cross-organizational, cross-border data
is perhaps the most important step in the integration
process. An enterprise financial crime data management
strategy can deliver a host of advantages, such as:
of behavior through linking unusual activities across
risk silos, business lines and borders.
intelligence that can be used to enhance controls in
individual monitoring platforms.
• The ability to recognize the scale of impact of an
attack and coordinate an appropriate response.
• The ability to enable true enterprise-wide search
to facilitate internal and external requests for
information.
Cost savings
Recent discussions with Tier 1 FIs have revealed that, if
managed properly, the integration of multiple risk and
compliance functions can deliver cost savings between
20% and 30%, as a broad estimate.
This is achieved through a combination of system and
process rationalization. Creating a unified data platform
will reduce the cost of ownership for a particular
system, because the support and maintenance costs
are shared. The integration of systems makes data
management an easier task too.
Figure 7: Bringing together data, models and workflow into common methodologies
Common methodologies
Data
data can be shared
• Risk
across the lines of
•
AML, fraud, sanctions
monitoring, trader
surveillance, and cyber
security.
Models
Linked models can be
• used
to build holistic
views of customers.
More efficient or
• specifically
purposed
Data can be shared
across business lines
and geographies to
establish a common
standard. This should
take into account any
potential issues with
national and regional
data protection laws.
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
analytics for counterfraud or AML can be
re-used and utilized to
reinforce or disprove
conclusions from
their neighboring
disciplines.
Workflow
Workflow activities
• can
be brought
together into an
enterprise-level case
management system.
hub can
• beA single
created for
investigations or
action plans.
21
A centralized financial crime department can also
provide a centralized group of investigators, cutting
down on manpower and bottlenecks in expertise, and
enabling more efficient investigations and reporting.
This can cut down on duplication of effort, increase
transparency, scalability, and agility. In the end, this can
result in significant cost savings while improving risk
management.
on unified technology architecture and data model,
while the vast majority still has significant hurdles to
overcome to achieve this.
Breaking down silos
A more holistic approach to tackling FCRM is needed
because without a centralized approach, it becomes
almost impossible to join the dots in recognizing
patterns of behavior associated with organized attacks.
The challenges of risk and compliance
integration
Before getting down to the hard graft of technological
integration, FIs need to ensure that their organizational
structures are aligned. It is a common error to attempt
to “patch up” perceived organizational gaps with
technology and, in the long term, this will only serve to
create yet more structural complexity.
In today’s competitive environment, the emphasis
of many FIs is on cost reduction and efficiency
improvements. Against this backdrop, it can be difficult
to prioritize the fight against financial crime and
simultaneously meet the ever-increasing compliance
requirements. At the same time, as with any business
change process, risk and compliance integration is a
complex undertaking.
A key issue that FIs must address is the need to align all
the various efforts taken to manage financial crime risk
and compliance across the organization. For example,
some aspects of FCRM, such as counter-measures for
internal and external fraud, are directly driven by the
business case and introduced to prevent direct losses
or bad debt provisions. Other aspects, however, will be
driven by regulation, such as AML, FATCA and sanctions
monitoring, and by indirect losses in the form of
regulatory fines and brand erosion. It is vital to ensure
that these different motivations for change do not
The high-profile punitive fines doled out to several
global FIs by regulators and national governments in
the past few years have underlined the importance
of investing in this area, but there are some difficult
barriers to overcome.
According to the survey (Figure 8), only 12% of FIs
currently have fully integrated FCRM processes based
Figure 8: Current FCRM processes
Which of the following options best describes your current FCRM processes?
Fully integrated processes and systems based on a unified
technology architecture and data model
12%
Semi-integrated processes and systems with some level
of alignment and data sharing, but not fully integrated
69%
Well formulated and communicated processes that are
totally separate with little or no integration
19%
0%
10%
20%
30%
40%
50%
60%
70%
Source: Chartis financial crime global survey
22
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
lead to change processes being undertaken by isolated
teams that are not working toward the aligned risk
appetite of the firm. Ideally, these individual initiatives
need to be managed as a portfolio with a vision for an
integrated target operating model.
At the same time, business transformations can create
long-lasting misalignments in business practices and
culture. In order to manage financial crime risk and
compliance more effectively, firms must overcome this
barrier by educating the workforce to use common
methodologies when identifying and scoring risks, for
instance, and to ensure that internal risk and compliance
standards and taxonomies are aligned.
This process is made more challenging in larger FIs,
which are inherently complex. For example, many of
today’s largest financial institutions have grown through
mergers and acquisitions (M&A) at some stage, which
often gives rise to silos where business units in the
acquired firm are not sufficiently consolidated into the
new organization because of difficulties in aligning
mismatched products, services, and processes.
Managing data
When bringing together workflow, data and models
into a common methodology, aligning analytics and
workflows is essential, but FIs normally find that the vast
bulk of the necessary work is in the data management.
Furthermore, FIs have not historically been strong
at documenting and developing a consistent IT
architecture, meaning that M&A events have also led
to overlapping and complex legacy systems in many
cases. In terms of FCRM systems, it may be that specific
systems are dedicated to individual areas, such as check
fraud, credit card fraud, and so on. In many cases, these
systems and their data will need to be realigned to
establish a unified FCRM platform.
A unified data platform that enables analysis of reliable
and consistent information from across the organization
will form the lynchpin of FCRM in future. This resonates
with our survey respondents (Figure 9), 92% of whom
cite the quality of available data as an important
challenge to successful FCRM.
Figure 9: Important challenges to successful FCRM
What do you see as your organization’s most important challenges to successful FCRM?
Access to internal data
45%
45%
11%
In-house knowledge and expertise
46%
43%
9%
Organizational culture and awareness of financial crime
49%
Completeness of data recorded electronically
36%
Detection of previously undetected fraud
27%
Budgets
24%
Investigative tools/solutions
(including case management)
10%
Important
14%
51%
20%
52%
30%
0%
13%
49%
32%
Board level/senior management support
Very important
38%
20%
30%
40%
20%
45%
19%
46%
19%
50%
Somewhat important
60%
70%
80%
90%
100%
Not important
Source: Chartis financial crime global survey
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
23
The EY point of view: Managing data throughout the customer life cycle
Effective financial crime risk controls are dependent
on the data that is supplied to them – even the best
control systems will be ineffective if the data provided
is of poor quality. This is an issue that more and
more organizations are identifying as a root cause to
operational inefficiencies. There is a need for better
data governance to be put in place, including data
policies to define minimum standards and effective
ongoing monitoring of these standards. In addition
there is currently an increasing trend of organizations
moving towards the use of a single data layer to supply
data to all of their financial crime risk control systems,
therefore ensuring a consistent set of data is used and
reducing the number of feeds from source systems.
Looking at data management across the customer
life cycle helps identify where financial crime risks are
introduced, controls required to mitigate those risks,
and ultimately what key data elements need to be
captured for those controls to be effective (Figure 10).
Figure 10: The customer life cycle
Example of data collection, financial crime controls and inherent risks at various stages in a bank account life cycle
Apply
Ongoing usage (iterative)
Customer – Applica4on Bank -­‐ Customer due diligence (CDD) Bank -­‐ Conducts periodic review Bank -­‐ Account provided Customer -­‐ Change details Key Risk decision point I
Input Customer -­‐ Transac4ons Bank -­‐ Block or Close account Bank -­‐ Block or Close account END
Data Bank – Applica4on denied §  Customer and address iden4fica4on and verifica4on (ID&V) §  Beneficial owner iden4fica4on §  Inten4on and product choice §  Ini4al verifica4on sources §  Nega4ve news data §  Behavioral data (e.g., transac4ons and counterpar4es) §  Change to reference informa4on (e.g., account numbers, sort codes) §  Changes to beneficial ownership, company structures, customer informa4on, address data, etc §  New customer informa4on §  New ID&V data requirements § 
§ 
§ 
§ 
§ 
Controls Bank – Applica4on denied Bank -­‐ Block or close account Customer -­‐ Account closure §  Ini4al know your customer (KYC) check §  Fraud check (e.g. impersona4on) §  Credit score check (if needed) §  Prohibited customers list §  Knowledge base authen4ca4on (KBA) check §  Customer risk assessment model §  Credit score check (if needed) §  Poli4cally exposed person (PEP) and sanc4ons screening §  Customer due diligence procedures, including simplified and enhanced procedures when appropriate §  Trigger (alerts) event-­‐based assessment §  Fraud and transac4on monitoring systems §  Customer and payment screening system §  Fraud (impersona4on) checks §  Customer risk assessment model (CRAM) §  PEP and sanc4ons screening §  Periodic reviews (frequency determined by CRAM ra4ng) §  Transac4on and fraud monitoring alerts §  Reports to FIU and SARs §  Financial intelligence units to coordinate risk-­‐based exit decisions §  Intelligence and informa4on sharing protocols §  Exit list updates Risks Output Closure
I
Account closure data Suspicious ac4vity data Credit risk exposure data Fraudulent ac4vity data Associated evidence §  Onboarding convicted fraudsters §  Facilita4ng iden4ty the[ or criminal ac4vity §  Establishing rela4ons with sanc4oned jurisdic4ons, individuals or en44es §  Establishing rela4ons with PEPs outside of risk appe4te §  Inappropriate AML risk ra4ng due to poor assessment §  Failure to iden4fy beneficial ownership and ul4mate beneficial ownership §  Failure to iden4fy source of funds or source of wealth §  Facilita4ng payments to sanc4oned geographies or individuals §  Overlooking suspicious trends in transac4ons due to wrong risk profile mapping §  Failure to disclose suspicious ac4vity reports (SARs) §  Fines/reputa4onal damage §  Enabling fraud and cyber crime §  Concealed true beneficial ownership §  Fraudulent or withheld informa4on by customer §  Fraud: Account closure by people other than real owner §  Li4ga4on/legal risk §  Conduct risk Source: EY
Page 1 December 15, 2014 Executing the integration process
[Presenta4on 4tle] The impetus for FIs to move toward integrated FCRM
is readily apparent. The integration process that
individual FIs follow, however, will vary in complexity
and direction, depending upon multiple factors, such
as size and organizational structure. Multi-national
firms and those with multiple business lines will be
facing particularly difficult challenges with respect to
coordination and alignment across those business lines
and borders.
Despite this, one commonality is that a phased
approach will be required by all – such a transformation
cannot be achieved overnight. Another common
challenge for most FIs is that they will probably begin
with roughly eight or nine main silos related to FCRM:
24
AML, sanctions filtering, card fraud, ACH fraud, online
fraud, employee fraud, trader surveillance, FATCA
compliance and KYC, for example.
Given that the concept of simultaneously unifying all
financial crime systems and processes under a single
umbrella is unrealistic, FIs must identify the areas where
there is least resistance to change in terms of their
systems and organizational structure.
For most organizations, the alignment of fraud and
AML systems and processes is a good place to start. As
regulators become more restrictive in their approach,
FIs are finding that they need to apply consistent
investigation processes and controls to their fraud and
AML assessments. Indeed, a number of FIs have already
integrated their processes.
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
Decisions on data
As firms move toward integration, the success of the
project will ultimately be determined by how effectively
they can manage organizational data. We have outlined
some of the different approaches and options that FIs
may consider as they seek to integrate data management.
1. Data integration
To turn data into practical information, business
intelligence systems need to manage the integration of
metadata. This process has a number of steps, which are
given below:
1. E
stablishment of the source to target data interface
with extract and transformation logic conducted at
the source.
2. I ntermediation with a central data-staging layer to
centralize transformation logic.
3. D
evelopment of messaging standards to allow
sharing of information across networks and
application-to-application connectivity.
4. I ntroduction of high performance infrastructure to
speed up extraction of information and provide a
central platform for fast search.
5. D
eployment of data and analytics kernels to source
platforms to pull data quickly through the enterprise,
and speed up end-user decision-making.
Many FIs have reacted to the ever-increasing volumes
of data they are required to process by investing in large
data warehouse projects. These data warehouses are
often cumbersome and slow, however, with lengthy and
laborious extract, load and transform (ETL) processes.
We are seeing organizations adopt several different
approaches to solve this problem. Some are moving
to a “publish and subscribe” model, while others are
converging regional standardized data hubs in an
attempt to make data transfer faster and more efficient,
while taking into account potential regional and crossborder data protection issues. Audits of data quality are
also becoming increasingly common.
• A base, physical layer – where data sources are
integrated, providing basic quality checks, typecasting, and name formatting.
• A business layer – where standardized methods
of data description and modeling throughout the
enterprise are applied to the metadata from the
physical layer.
• An application data layer – where data is transformed
into an accessible format for data consumers, whether
these are customers or business users.
While the abstraction data layer system does not have
the same speed and efficiency as an integrated data
warehouse, the potential for quick implementation
and therefore return on investment make it an
attractive proposition, particularly for larger, complex
organizations.
Managing the integration process
As with any business change process, it is important to
create a structured roadmap at the outset that takes into
account the organization’s current state, including any
gaps, overlaps and efficiencies, and outlines the future
state, such as shared capabilities, synergies and benefits.
Broad executive-level ownership and visible support
for change will be important too, including leaders
representing a cross-section of the organization
committing time, resources and subject matter expertise.
Firms will also need to continue to run their existing
systems in parallel with the creation of new, integrated
systems in order to keep essential business processes
running. For most large FIs, a change budget will be set
aside, with a specific team set up to oversee the process,
usually over a three- to five-year period. These teams
will follow separate work streams, but their progress will
be reviewed at group level to ensure their approach is
aligned with the wider business. Careful construction of a
roadmap for this process is critical, as the transformation
process can and will change data sources behind
applications and will affect their function. This balancing
act of “run the bank” versus “change the bank” is a critical
success factor.
2. Data alignment and abstraction
One method for bringing data management systems
together that does not involve breaking down silos is to
use layered data abstraction processes that bridge across
silos instead.
An abstraction layered data management architecture
includes:
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
Expenditure
It is obvious that the budget will strongly influence
the approach that FIs are able to adopt as they move
toward FCRM integration, in terms of how swiftly and
how deeply the process goes.
25
Which one of the following best describes your organization’s/business unit’s expenditure on FCRM technology for 2014–15?
Increase by more than 50%
15%
23%
Increase by more than 25%
25%
Increase by more than 10%
Expenditure to remain the same as 2013
28%
Decrease by more than 10%
6%
Decrease by more than 25%
2%
Decrease by more than 50%
2%
0%
5%
10%
15%
20%
25%
30%
Source: Chartis financial crime global survey
Our survey results (Figure 11) reflect both the urgency
of the issue and the potential of integrated FCRM to
help reduce future costs, given that the majority of FIs
intend to increase their expenditure on financial crime
risk and compliance management technology, despite
the current emphasis on cost cutting in the sector.
be a low volume of very high-value “change the bank”
projects by tier 1 FIs, involving significant investment,
and possibly the creation of financial intelligence units.
The greater part of the spending increase within the
sector is likely to be tactical expenditure, focused on
extending existing point solutions to conduct enhanced
analytics, further compliance reporting, or buying new
point solutions. At the same time, there is also likely to
A convergence trend in financial crime looks at common
capabilities of reporting, case management, work flow,
analytics and data across all financial crime risks to
provide better information and intelligence sharing and
drive efficiencies in risk management (Figure 12).
Reference architecture
A financial crime reference architecture
3
Figure 12: Example target architecture for integrated financial crime risk and compliance management
Anti-money
laundering
Sanctions
screening
Anti-fraud
Anti-bribery and
corruption
Example capabilities
Metrics and reporting
•  KPIs / KRIs
•  Operational MI
•  Visualization
•  Data aggregation
•  Model performance
•  Risk assessment
Investigation management and financial intelligence unit
•  Holistic customer
risk
•  Cross function
investigation
•  Intelligence sharing
Case management
•  Document
management
•  Work flow
•  Consolidation &
scoring
•  Case analytics
Risk-specific
Alerts
eme for
ons on the
ese two are
1) dark
ackgrounds
Figure 11: FCRM expenditure
KYC
Name
screening
Internal fraud
Gifts and
entertainment
Customer risk
assessment
Payment
filtering
External fraud
Hiring
practices
Unauthorized
trading
Whistle
blowing
Transaction
monitoring
Analytics
•  Holistic data view •  Trend analysis
•  Model optimization •  Predictive analytics
•  Model management •  Peer analysis
Data management
•  Data policy
•  Data governance
•  Data quality
•  Data validation
•  Data interfaces
•  List management
Data storage
•  Internal data
•  External data
•  Relational data
•  Unstructured data
•  SLA management
Key:
26 Page 0
Financial crime risks
December 11, 2014
DB Data sources
Common functions
[Presentation title]
Source: EY
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
Conclusion
Today’s FIs are exposed to a wider range of risks than ever
before, as they continually implement new technologies
and open up new channels to customers in a bid to
remain competitive. Meanwhile, regulators continue to
pressurize firms to devote greater resources to assessing
and reporting on financial crime and conduct risk.
Significant operational savings can be gained
with centralized management of financial crime.
The convergence of analytics, workflow and data
management will increase transparency, increase agility
and decrease duplication of effort when analyzing
financial crime across business lines and international
borders, creating complete views of customers across the
entire transactional life cycle.
Those FIs that fail to face up to these risks and demands
will be at a distinct disadvantage in future as customers,
investors and shareholders all begin to attach
greater value to the security and integrity of financial
institutions, as well as reputation and brand protection.
What will be needed, therefore, is an integrated
approach to the management of financial crime risk
and compliance that will help them to better detect
criminal attacks and fraud and avoid regulatory
fines, and ultimately reduce their costs as a result of
operational efficiency savings and tighter security.
About the EY contributors
Patrick Craig
EMEIA Compliance IT Advisory Leader
Patrick has been with EY for more than six years and runs the EMEIA Compliance IT
Advisory practice. This practice provides IT strategy, transformation, optimization and
analytics services on monitoring, surveillance, investigation and reporting platforms
to global financial services institutions to help manage risk. Prior to this role, he was
responsible for building EY’s compliance IT advisory capability in New York. Previous
to working at EY Patrick was head of services for Searchspace, an AML technology
company that is now part of the Nice Actimize corporation. Patrick gives lectures at
the International Compliance Association on the topic of compliance technology and
speaks at international conferences on AML and financial crime trends.
Scott Samme
EMEIA Compliance IT Advisory Director
Scott has been advising and delivering technology solutions related to financial crime
prevention for more than nine years. He has experience across different industries,
including banking, insurance, national intelligence and policing, addressing Fraud,
AML, Sanctions, organized crime and intelligence in different geographies. Previous to
working at EY, Scott was the head of services globally for BAE Detica NetReveal.
The views reflected in this article are the views of the author and do not necessarily reflect the views of the global EY organization or its member firms.
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
27
RiskTech100® rankings 2015
Rank
2015
Rank
2014
1=
Company
HQ
Total
score
Functionality
Core
technology
Organizational
strength
Customer
satisfaction
Market
presence
Innovation
1
IBM
US
68.7%
82%
75%
66%
52%
68%
69%
1=
2
SAS
US
68.7%
83%
80%
60%
53%
67%
69%
3
3
SunGard
US
66.8%
78%
68%
65%
58%
68%
64%
4
4
Wolters Kluwer FS
US
64.3%
68%
63%
67%
64%
65%
59%
5
7
MSCI
US
64.3%
66%
60%
69%
60%
65%
66%
6
6
Oracle
US
64.2%
73%
75%
64%
53%
57%
63%
7
5
Moody’s Analytics
US
63.2%
64%
63%
68%
60%
63%
61%
8
11
Thomson Reuters
US
62.8%
65%
64%
63%
58%
66%
61%
9
8
Misys
UK
62.5%
70%
66%
64%
53%
60%
62%
10
9
OpenLink
US
62.5%
63%
64%
66%
58%
61%
63%
11
15
SAP
Germany
62.3%
65%
71%
62%
54%
60%
62%
12
13
Murex
France
62.3%
65%
64%
63%
60%
61%
61%
13
14
BAE Systems
UK
62.0%
64%
64%
62%
56%
61%
65%
14
10
Fiserv
US
61.5%
66%
61%
64%
63%
60%
55%
15
12
NICE Actimize
US
61.3%
62%
61%
65%
52%
64%
64%
16
17
FICO
US
61.2%
63%
58%
60%
58%
63%
65%
17
18
Markit
UK
60.5%
68%
64%
61%
55%
56%
59%
18
20
MetricStream
US
59.8%
59%
59%
63%
55%
60%
63%
19
26
Numerix
US
59.3%
53%
49%
61%
68%
63%
62%
20
19
NASDAQ OMX
Bwise
US
58.7%
64%
56%
57%
55%
60%
60%
21
22
FINCAD
Canada
58.5%
58%
54%
55%
65%
61%
58%
22
16
Calypso
US
58.0%
62%
59%
57%
53%
59%
58%
23
24
Wynyard
UK
57.3%
60%
56%
57%
58%
52%
61%
24
23
Imagine
US
57.2%
60%
58%
55%
59%
51%
60%
25
25
QRM
US
57.0%
60%
52%
55%
54%
60%
61%
26
34
EMC RSA
US
56.5%
55%
54%
57%
56%
60%
57%
27
31
Quantifi
US
55.8%
55%
58%
58%
56%
51%
57%
28
35
Reed Elsevier
UK
55.5%
60%
50%
52%
57%
64%
50%
29
29
Lombard Risk
UK
55.3%
56%
56%
57%
57%
54%
52%
30
30
Allegro
US
55.2%
56%
55%
58%
52%
56%
54%
31
32
FIS
US
55.0%
59%
55%
53%
54%
57%
52%
32
27
ION Trading
Ireland
54.7%
60%
57%
56%
48%
57%
50%
28
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
Rank
2015
Rank
2014
33
Company
HQ
Total
score
Functionality
Core
technology
Organizational
strength
Customer
satisfaction
Market
presence
Innovation
33
ACI Worldwide
US
54.5%
58%
51%
55%
55%
55%
53%
34
28
Fernbach
Lux
54.2%
59%
58%
47%
56%
48%
57%
35
42
Intellinx
Israel
53.8%
53%
56%
52%
60%
50%
52%
36
36
Axiom SL
US
53.8%
56%
59%
49%
64%
47%
48%
37
37
SS&C
US
53.8%
50%
50%
60%
57%
50%
56%
38
21
Experian
UK
53.7%
49%
48%
57%
57%
62%
49%
39
38
EastNets
UAE
53.3%
53%
50%
52%
58%
54%
53%
40
48
Prometeia
Italy
53.0%
55%
50%
50%
68%
40%
55%
41
41
Verafin
Canada
52.8%
56%
50%
50%
66%
39%
56%
42
46
Quartet FS
UK
52.3%
41%
57%
51%
60%
46%
59%
43
56
ACL
Canada
52.2%
55%
50%
54%
57%
49%
48%
44
39
Palantir
US
52.0%
50%
54%
48%
53%
47%
60%
45
40
MEGA
France
51.8%
56%
52%
52%
48%
50%
53%
46
44
RiskVal
US
51.5%
52%
52%
52%
54%
47%
52%
47
47
Protiviti
US
51.2%
45%
45%
57%
55%
55%
50%
48
–
Broadridge
US
51.0%
56%
53%
54%
50%
50%
43%
49
–
Bloomberg
US
50.7%
40%
42%
55%
55%
60%
52%
50
52
Trintech
US
50.3%
48%
48%
51%
51%
55%
49%
51
55
Simcorp
Denmark
50.3%
46%
47%
54%
50%
50%
55%
52
74
Polaris FT
India
50.3%
58%
56%
51%
52%
35%
50%
53
45
FinAnalytica
US
50.3%
50%
45%
45%
55%
45%
62%
54
51
Conning
US
50.3%
58%
50%
49%
52%
43%
50%
55
50
Jack Henry
US
49.8%
53%
50%
51%
50%
49%
46%
56
53
DST Global
US
49.8%
47%
47%
51%
52%
51%
51%
57
59
Brady
UK
49.8%
49%
48%
53%
51%
50%
48%
58
64
Davis + Henderson
Canada
49.7%
49%
50%
56%
56%
46%
41%
59
58
Empowered Systems
UK
49.7%
49%
57%
38%
66%
28%
60%
60
61
Xenomorph
UK
48.8%
47%
53%
41%
55%
37%
60%
61
60
BPS Resolver
Canada
48.5%
45%
52%
49%
50%
40%
55%
62
49
TMX Group
Canada
48.5%
53%
58%
47%
48%
30%
55%
63
57
Towers Watson
US
48.3%
44%
39%
49%
55%
56%
47%
64
63
StatPro
UK
48.2%
45%
45%
51%
58%
42%
48%
65
65
UBS Delta
UK
47.2%
45%
44%
48%
50%
42%
54%
66
90
Safe Banking
Systems
US
46.8%
40%
50%
48%
58%
37%
48%
67
67
AIM Software
Austria
46.0%
35%
53%
50%
50%
45%
43%
68
69
Savvysoft
US
45.8%
45%
45%
45%
53%
39%
48%
69
–
Fenergo
Ireland
45.8%
55%
50%
50%
50%
30%
40%
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
29
Rank
2015
Rank
2014
70
62
Enablon
71
71
BlackRock Solutions
72
66
73
HQ
Total
score
Functionality
Core
technology
Organizational
strength
Customer
satisfaction
Market
presence
Innovation
France
45.7%
42%
42%
50%
50%
50%
40%
US
45.5%
42%
40%
50%
50%
42%
49%
eFront
France
44.7%
48%
48%
48%
48%
35%
41%
76
Temenos
Switzerland
44.5%
40%
49%
50%
49%
40%
39%
74
79
SecondFloor
Netherlands
44.3%
40%
50%
45%
51%
30%
50%
75
80
Software AG
Germany
44.2%
44%
41%
46%
50%
45%
39%
76
82
SAI Global
Australia
44.0%
46%
41%
45%
50%
47%
35%
77
78
Riskdata
France
44.0%
40%
40%
46%
50%
43%
45%
78
73
Cura Technologies
India
44.0%
40%
40%
47%
55%
42%
40%
79
84
3i InfoTech
India
44.0%
48%
44%
40%
46%
40%
46%
80
86
ClusterSeven
UK
43.8%
41%
43%
47%
50%
37%
45%
81
85
Patsystems
UK
43.5%
36%
39%
47%
52%
38%
49%
82
89
Investor Analytics
US
43.5%
42%
39%
39%
54%
40%
47%
83
68
Entrust
US
43.5%
35%
38%
45%
48%
45%
50%
84
83
Reval
US
43.3%
44%
40%
46%
46%
40%
44%
85
87
QUMAS
Ireland
42.8%
45%
40%
45%
50%
35%
42%
86
81
Wilshire
US
42.3%
38%
33%
46%
51%
40%
46%
87
–
India
41.8%
52%
45%
35%
45%
33%
41%
88
95
Rockall Technologies
Ireland
41.3%
30%
47%
42%
54%
30%
45%
89
77
Tonbeller
Germany
41.2%
60%
55%
46%
45%
38%
3%
90
–
OpenGamma
UK
41.0%
37%
60%
34%
45%
30%
40%
91
94
Infogix
US
41.0%
34%
35%
47%
50%
40%
40%
92
75
Linedata
France
40.8%
38%
40%
45%
49%
30%
43%
93
91
Neural Technologies
UK
40.5%
40%
45%
43%
42%
32%
41%
94
99
Chase Cooper
UK
40.5%
40%
37%
40%
47%
35%
44%
95
–
NCR Alaric
US
40.5%
46%
44%
30%
50%
25%
48%
96
96
FactSet
US
40.3%
27%
30%
52%
50%
41%
42%
97
72
Sword Group
UK
40.2%
38%
40%
40%
50%
40%
33%
98
92
Teradata
US
39.8%
20%
49%
42%
53%
38%
37%
99
93
Vadis
Belgium
39.8%
55%
45%
27%
37%
23%
52%
100
–
India
38.3%
50%
52%
28%
35%
22%
43%
30
Company
CustomerXPs
iDetect
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
Category winners
Chartis categories:
Functionality: IBM
•
Core technology: SAS
•
MSCI
• Organizational strength:
Prometeia
• Customer satisfaction: IBM
• Market presence: Innovation: SAS
•
Vertical:
Banking:SAS
•
Murex
• Capital markets – sell-side: Capital
markets
–
buy-side:
MSCI
•
Insurance:SAS
•
Corporations:OpenLink
•
Geographical sectors:
Americas:
FICO
•
Europe: IBM
•
Misys
• Asia Pacific: EastNets
• Middle-East & Africa: Horizontal:
Credit risk:Moody’s Analytics
•
Market risk:IBM
•
QRM
• Liquidity risk & ALM:
• Energy & Commodity trading risk: OpenLink
Financial crime:SAS
•
MetricStream
• Operational risk & GRC:
Regulatory
reporting:
Wolters Kluwer
•
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
31
Appendix A: Research methodology
The rankings in Chartis’s RiskTech100® report reflect our analysts’ considered opinions, along with research into
market trends, participants, expenditure patterns and best practices. The data collection for this study started in
January 2014, and the analysis has been validated through several phases of independent verification. This study is
the most comprehensive of its kind and is a core element of Chartis’s annual research cycle.
Figure 13: RiskTech100® research methodology
• Performed market sweep of 32,000 risk technology buyers globally (80% financial
services, 20% non-financial services)
• Collated 1217 completed questionnaires from risk technology buyers and end-users
• Collected data on expenditure priorities and vendor preferences
• Collated 318 completed questionnaires from risk technology vendors
• Conducted 118 interviews and product briefings with risk technology vendors
• Conducted 115 interviews with risk technology buyers to validate survey findings
• Conducted 55 interviews with independent consultants and systems integrators
specializing in risk technology
• Applied RiskTech100® assessment criteria to filter top 150 vendors
• Reviewed data with 20 independent consultants and 110 risk technology buyers
• Interviewed 35 ex-employees of top 25 risk technology vendors to validate findings
• Undertook final data validation with 108 vendors – received 80 completed
questionnaires and 50 vendor briefings
• Concluded final top-100 rankings, category winners and report write-up
32
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
Appendix B: How to read the
RiskTech100® rankings
The RiskTech100® assessment criteria comprises six equally weighted categories:
•Functionality
• Core technology
• Organizational strength
• Customer satisfaction
• Market presence
•Innovation
Within each category, a number of sub-categories are weighted according to the level of importance that end-users
and system integrators attach to these aspects of risk technology provision.
Table 1: RiskTech100® assessment criteria
(Sub-category weightings are shown in brackets)
Functionality
• Depth of functionality (0.5) – The level of sophistication and detailed features in the
software product. Aspects assessed include: innovative functionality, practical relevance
of features, user-friendliness, flexibility and embedded intellectual property. High scores
are given to those firms that achieved an appropriate balance between sophistication and
user-friendliness. In addition, functionality linking risk to performance is given a positive
score.
• Breadth of functionality (0.5) – The spectrum of risks covered as part of an enterprise
risk management solution. The risk spectrum under consideration includes treasury
risk management, trading risk, market risk, credit risk, operational risk, energy risk,
business/strategic risk, actuarial risk, asset-liability risk, financial crime and compliance.
Functionality within and integration between front-office (customer-facing) and middleback office (compliance, supervisory and governance) risk management systems are also
considered. High scores are given to those firms achieving (or approaching) integrated
risk management – breaking the silos between different risk management functions.
Core technology
• Data management (0.35) – The ability of enterprise risk management systems to interact
with other systems and handle large volumes of data. Data quality is often cited as a
critical success factor, and ease of data access, data integration, data storage and data
movement capabilities are all important factors.
• Risk analytics (0.35) – The computational power of the core system, the ability to analyze
large amounts of data in a timely manner (e.g., real-time analytics), and the ability to
improve analytical performance are all important factors.
• Reporting (0.30) – The ability to surface information in a timely manner. The quality and
flexibility of reporting tools and ease of use are important for all risk management systems.
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
33
Organizational
strength
• Sales execution (0.25) – The size and quality of sales force, sales distribution channels,
global presence, focus on risk management, messaging and positioning are all important
factors.
• Financial strength /stability (0.25) – Revenue growth, profitability, sustainability and
financial backing. (The ratio of license to consulting revenues is key to business
scalability.)
• Implementation and support (0.25) – Important factors include size and quality of
implementation team, approach to software implementation, post-sales support and
training.
• Thought-leadership (0.25) – Business insight/understanding, new thinking, formulation
and execution of best practices, and intellectual rigor are considered important by endusers.
Customer
satisfaction
• Value for money (0.4) – Price to functionality ratio, total cost of ownership versus license
price.
• After sales service and support (0.4) – Important factors include ease of software
implementation, level of support and quality of training.
• Product updates (0.2) – End-users consider frequency of updates, keeping pace with bestpractice and regulatory changes to be important.
Market presence
• Market penetration (0.4) – Number of customers in chosen markets, rate of growth relative
to sector growth rate.
• Market potential (0.3) – Brand awareness, reputation, and the ability to leverage current
market position to expand horizontally (with new offerings) or vertically (into new
sectors).
• Momentum (0.3) – Performance over the last 12 months, including financial performance,
new product releases, quantity and quality of contract wins and market expansion moves.
Innovation
• New product development (0.4) – New ideas, functionality, and technologies to improve
risk management for target customers. Chartis assesses new product development, not in
absolute terms, but in relation to the vendor’s closest competitors.
• Exploitation (0.4) – Developing new products is only the first step in generating success.
Speed to market, positioning of new products and translation to incremental revenues
are critical success factors.
• New business models (0.2) – Innovation is not limited to the product dimension. Some risk
technology vendors are also actively working toward new business models for generating
profitable growth.
34
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
How to use research and services
from Chartis
In addition to our flagship industry reports, Chartis also offers customized information and consulting services. Our
in-depth knowledge of the risk technology market and best-practice allows us to provide high quality and costeffective advice to our clients. If you found this report informative and useful, you may be interested in the following
services from Chartis.
For risk technology buyers
If you are purchasing risk management software, Chartis’s vendor selection service is designed to help you find the
most appropriate risk technology solution for your needs.
We monitor the market to identify the strengths and weaknesses of the different risk technology solutions, and track
the post-sales performance of companies selling and implementing these systems. Our market intelligence includes
key decision criteria such as TCO (total cost of ownership) comparisons and customer satisfaction ratings.
Our research and advisory services cover a range of risk and compliance management topics such as credit
risk, market risk, operational risk, GRC, financial crime, liquidity risk, asset and liability management, collateral
management, regulatory compliance, risk data aggregation, risk analytics and risk BI.
Our vendor selection services include:
• Buy vs. build decision support
• Business and functional requirements gathering
• Identification of suitable risk and compliance implementation partners
• Review of vendor proposals
• Assessment of vendor presentations and demonstrations
• Definition and execution of proof-of-concept (PoC) projects
• Due diligence activities
For risk technology vendors
Strategy
Chartis can provide specific strategy advice for risk technology vendors and innovators, with a special focus on
growth strategy, product direction, go-to-market plans, and more. Some of our specific offerings include:
• Market analysis, including market segmentation, market demands, buyer needs, and competitive forces
• Strategy sessions focused on aligning product and company direction based upon analyst data, research, and
market intelligence
• Advice on go-to-market positioning, messaging, and lead generation
• Advice on pricing strategy, alliance strategy, and licensing/pricing models
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
35
Thought leadership
Risk technology vendors can also engage Chartis to provide thought leadership on industry trends in the form of
in-person speeches and webinars, as well as custom research and thought-leadership reports. Target audiences and
objectives range from internal teams to customer and user conferences. Some recent examples include:
• Participation on a “Panel of Experts” at global user conference for leading ERM (Enterprise Risk Management)
software vendor
• Custom research and thought-leadership paper on Basel 3 and implications for risk technology
• Webinar on financial crime risk management
• Internal education of sales team on key regulatory and business trends and engaging C-level decision makers
Visit www.chartis-research.com for more information.
36
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
Further Chartis reading
• Liquidity Risk Management Systems 2014
• Conduct Risk Management Systems 2014
• Risk Data Management & BI at Bank of Montreal
• Solvency II Technology Solutions 2014
• Enterprise GRC Solutions 2014
• The Evolution of Crime Analytics
• Competing on Risk and Compliance: A New Path for Emerging Market Banks
• Model Risk Management Solutions 2014
• Operational Risk Management Systems for 2014
• Basel 3 Technology Solutions 2013
• Aligning Risk And Finance In Banks: From Theory to Practice
• Enterprise Fraud Solutions 2013
• Anti-Money Laundering Solutions 2013
For all of these reports see: www.chartis-research.com
© Copyright Chartis Research Ltd 2014 | All Rights Reserved
37
Author
Document
Category
Uncategorized
Views
59
File Size
2 587 KB
Tags
1/--pages
Report inappropriate content