Banks face new risk-pitfall

The Ghanaian banking industry is generally profitable and is developing fast. A look beneath the surface, however, complicates the story somewhat: operational-risk exposures are rising dangerously and security systems have become vulnerable to breaches -- calling into question the strength of the internal governance and risk-management framework, and the sustainability of the current business model into the future.

The prospect of operational-risk losses has become more plausible as banks expand their transactional income sources -- the card business, principally. Every bank is in the card business -- at least issuing its own specific debit card. But in the last few years, banks have begun to deploy international debit cards that have more sophisticated utility and can be used everywhere in the world.

Now, imagine the frightening possibilities if the security backbone behind this deployment is breached: hackers would penetrate systems – even from miles away – and tap into confidential data resources that enable them steal depositors’ funds. The threat could in fact manifest right at bank’s doorsteps, as hackers have been known to clone debit-cards minutes after they have been inserted into an ATM by a customer.

So, how is the industry faring? One expert, preferring to be anonymous, concludes that Ghanaian banks are ill-prepared to guard against these threats and, as he put it, “most banks have no clue how these things work. Operational risk-management is only a small part of their overall risk-management strategy.”

Indeed, some local banks have had their security systems breached in the past, but the incidents have invariably been covered up -- to avoid the embarrassment that a public disclosure would bring and the panic that could be triggered if depositors have reason to doubt a bank’s ability to protect their funds.

There is even greater vulnerability with mobile banking.

True, in Ghana’s market -- as in most others -- except when they are partnered by banks, mobile operators are not permitted to offer mobile-banking services. This is a way of allowing operators to manage risks by relying on banks’ infrastructure and controls. But it is not enough to guard against all the risks and threats.

Just compare the two processes involved in signing up for a bank account and a mobile wallet. Banks, in general, collect more data from customers, whereas until recently mobile operators did not know the identities of their customers.

In discussing these issues, one has to assess the compatibility of banks’ existing business models with the higher security standards demanded as the industry develops. The business model defines a bank’s outlook and priorities. In Ghana, banks’ income is mainly derived from interest on loans – and in this area, there is often little diversification of the loan-book, which limits the depth of banks’ intermediation services and concentrates their risks.

This alert need not cast the industry into utter gloom. Help is available, and there is much banks can do to help themselves, too. There are skills available in this economy that banks must look for to help them confront these challenges -- along with their own safeguards.

The industry must embed information security systems forcefully into their risk-management frameworks, ensuring that data leakages can be minimised. This, of course, should be part of a broader systems-security strategy.

One crucial element is to evolve early-warning strategies that tip off a bank about emerging or imminent threats. In fact, the industry’s exposure to significant levels of bad debts in the last three years is partly the outcome of weak or non-existent early-warning strategies that could have averted the crisis.

Admittedly, banks have over the years strengthened credit-risk management. But there are weak points. Expensive pricing is one of them. If credit is too costly, it increases the risk of default. Simple! And the market has very much been characterised by this feature for long, only worsening when the global financial crisis struck and domestic macro-economic imbalances surfaced. Banks must start reviewing their funding and other costs, and the impact on pricing.

To protect client data, standards abound that banks can subscribe to.

The Payment Card Industry Data Security Standard (PCI-DSS) is one such standard. It is a multifaceted security standard that encompasses requirements for security-management policies, procedures, network architecture, software design and other critical protective structures. The Basel rules are also very useful, but they need enforcement -- otherwise it is really up to banks to assess themselves on the risk-management standards embedded in the rules.

Human capital transformation should parallel banks’ other actions as they incorporate these changes. For credible, sustainable risk-management, human-resource functions within banks have to be properly segregated in conformity with accepted principles. More training and retooling is needed across the entire range of operations, especially as new models and systems are evolved to take on future challenges.

Many experts and forward-thinkers say today’s business models are unlikely to survive tomorrow’s environment. New models that vary revenue sources, broaden the reach of banks’ services, transform security-management and sustain growth and profitability are the future of the industry.

Regulation is certainly crucial in all this. Thankfully, it does not appear that the Bank of Ghana is complacent -- but a few banks have actually gotten ahead of the regulator in enforcing on themselves some of the desirable changes and advances. The Central Bank must build capacity faster in order to provide proper guidance and supervision.

The economy is growing fast, and there is deeper need for financial intermediation as a result. Today, because Ghana is a bigger economy under the revised national accounts structure, most financial intermediation indicators/ratios have fallen dramatically. Ahead are both opportunities and challenges. Banks can rise above the challenges and optimise the opportunities only if they transform.