Risk Technology Awards 2020 – Coping with Covid uncertainty

Scenarios scrapped, rules revised and holes plugged – how the winners of the Risk Technology Awards 2020 are adjusting to the Covid‑19 pandemic

Risk software is designed for bad times – but not bad times like these. The Covid-19 pandemic – defined by huge uncertainty about policy effectiveness, human behaviour, and the timeline for successful treatments and a vaccine – is a crisis like no other, testing the resilience, responsiveness and flexibility of risk systems and the companies that use them. 

The call for entries to this year’s Risk Technology Awards went out before the virus had reordered human society worldwide – so the winners were judged primarily on their achievements in the pre-coronavirus age (see Methodology box). This article, though, explores the impact of the pandemic on the winning firms and their clients. 

Some had to scramble – overhauling products that were instantly rendered inappropriate or irrelevant by the scale of the disruption. Other products and services still worked, but needed a new layer of intervention and interpretation to be applied.

Credit risk vendors found themselves in the first of these categories. As part of its stress-testing services, Moody’s Analytics – which won six categories in this year’s awards – produces baseline economic forecasts and various alternative downside scenarios, updated monthly. In addition, it forecasts income and balance sheet statements for banks on a quarterly basis. These services had to be immediately retooled to reflect the impact of a sudden economic freeze as the world went into lockdown.

“March was unprecedented,” says Olivier Brucker, senior director at Moody’s Analytics. “Output, unemployment and other macroeconomic indicators deviated from the baseline scenario within a few days and quickly moved beyond both our 10% and 4% probability downside scenarios.” 

In response, the company released a number of ad hoc thematic scenarios to capture the emerging risks and provided a mid-cycle update to the March baseline and alternative scenarios that incorporated the economic risks resulting from the pandemic. 

“We ran these scenarios through our off-the-shelf forecasting models to provide our customers with up-to-date balance sheet and income statement projections as these exceptional events unfolded,” says Brucker. The company followed with updates in April, May and June. It continues to evolve its models to capture future pandemic-related and other risks, Brucker adds.

The challenges are particularly acute when trying to forecast default rates, where the pandemic has deprived lenders of their usual lodestars. Traditional data – such as salary or credit card spending behaviour in the case of individuals, and liquidity or leverage ratios in the case of companies – has suddenly shifted, implying catastrophe. On the other hand, various forms of state support – such as furlough schemes and business loans – suggest the worst can be avoided. This requires the review and adjustment of traditional models.

“Typically, firms are having to introduce rules, or modify existing rules, to deal with fact that their models are potentially impaired,” says David Rogers, global product marketing manager for risk management solutions and technology at SAS, which won the award for Consumer credit modelling software of the year. “They are having to apply policy and guidelines much more tightly to the lending process.” 

This can entail replacing some automated calculation of modelling factors with expert input – for example, changing cut-off points for loans. “This allows banks to maintain the integrity of the models while recognising the changed circumstances,” says Rogers. 

An onlooker might regard this as a one-off patch – in time, the data will become more reliable once again – but Rogers argues we might be witnessing a more permanent change, as lenders start to appreciate the shortcomings of standard models. “Lenders are going to have to look at the possibility of using alternative datasets to help make decisions, as well as manage their collections and debtors.” 

This might include utility, telephone and broadband bills, as well as sentiment and other scores generated by applying artificial intelligence (AI) and machine learning to social media and news sources.

Aire is one organisation that already has a non-traditional approach to credit risk – both to the consumers it attempts to score and the methodology it applies when doing so. The company aims to provide access to credit for borrowers whose finances cannot be illuminated by the conventional tools of the credit industry. These include young professionals who have not borrowed before, ambitious recent immigrants with no financial footprint in the UK or reliable older people who have paid off their mortgages years earlier. 

“As the conventional tools cannot see them – or can see only part of their financial circumstances – they are denied credit, access to lending is delayed or they can only get it at inflated rates,” says Aneesh Varma, chief executive officer and co-founder of Aire, which won this year’s Most innovative vendor award.

Aire tackles the problem by gathering financial and lifestyle information directly from consumers – principally via online questionnaires – and applying machine learning not just to the responses, but also to the way consumers interact with the questionnaire. 

During the pandemic, Aire has had to make some adjustments – for example, incorporating the notion of furloughing and how this might impact the profile of consumers and their income. “With Covid‑19, we have to spend time manually validating the thinking of the machine. You have to step up the human effort – applying logic and reason. If the machine is pointing to a factor that shows positive correlation with financial distress, you have to ask, why?” says Varma.

Remote working risks 

While the pandemic has not necessarily spawned a new breed of cyber risk or security threats, by rapidly altering the landscape of how financial institutions and their customers operate and interact, it has exposed holes and weak points in cyber defences, says John Dasher, vice-president for products and marketing at RiskSense, which won the Cyber risk/security product of the year award.

“The rush to facilitate working from home has put a strain on infrastructure that wasn’t necessarily designed for use at such scale, creating risk from financial institution employees working remotely and from customers performing [online] transactions. Vulnerabilities that are present in remote access services and web applications that facilitate access to financial institutions are now of even greater interest to the bad guys,” he says.

Certain products and technologies used by employees working remotely – such as virtual private networks (VPNs) – were designed for pre-pandemic usage level and are being stretched to their limits. “Many of the VPN systems in place aren’t able to scale to the level now needed,” says Dasher.

Many organisations hastily rolled out new or expanded infrastructure to meet demand and, in doing so, misconfigured systems and/or failed to ensure their security measures were up to date. Where they have made security exceptions to accommodate remote working, they have often not been tracked, followed up on and closed. Furthermore, many organisations have relied on operations staff being physically present to upgrade security measures on their systems. Making adjustments to allow this to be undertaken remotely has led to delays and vulnerabilities, says Dasher.

Opportunistic exploit

Hackers are not the only ones who have been looking for opportunities during the pandemic. “Measures to fight the virus have also been affecting the criminal economy and criminal behaviour as virtual and electronic channels’ usage increased heavily,” says Frank Holzenthal, senior director for financial services at consumer credit-scoring giant Fico. 

Fraud and social engineering attacks are on the rise, as well as bribery and corruption, robbery, theft and medical scams. Pandemic-related economic stimulus measures are being exploited in a number of countries, with aid for non-existent or even inactive companies requested, or sham businesses being registered at short notice to apply for aid. This has not required new technology or features in financial crime and anti-money laundering (AML) systems, but more an adjustment of scenarios in monitoring systems, says Holzenthal. 

But the challenge is enormous, even with the help of AI and machine learning. Consistently spotting patterns and anomalies across massive datasets is a key strength of AI and machine learning, aided by more traditional statistics that provide useful insights with less computational overhead, says Dasher at RiskSense. But, because user behaviour patterns have shifted overnight, the techniques are likely identifying large numbers of false positives as almost all behaviours are anomalous. “Figuring out what is truly malicious is near impossible,” he says.

The closing or limiting of hours of bank branches because of the pandemic has boosted digital account applications. This has led to many countries starting to ease their know-your-customer (KYC) processes – especially in Africa, where mobile money services supplement poor banking infrastructure and enable cashless payments. Fico, which won the Financial crime product of the year award, has responded by integrating its identity validation product with its KYC system and embedding watchlist screening and real-time customer risk-rating into the onboarding process.

Robo-workflows 

Paradoxically, as the pandemic has required more manual intervention in models and decision-making processes, it is also pushing organisations towards more automation. One reason is that organisations want to enable as many customers as possible to self-service supported by automated workflow so they can free up their human resources to support others with more complex and demanding needs. This is simply accelerating a process that was already under way, says Holzenthal at Fico. 

“Tasks that are time-sensitive, repeatable, high-volume and routine can be completed by robots so that the workforce can focus on more urgent or more value-adding work,” he says. Fico has been turning to robotic process automation (RPA) – technology that sits somewhere between AI and simple automation of workflow, mimicking a set of standardised processes that would otherwise be done by humans. The company is applying it in areas such as alert investigation, where it can automatically prioritise and dispatch alerts to investigators, assign tasks or trigger multilevel approval chains. “RPA ensures process conformity and decision consistency, reduces errors and increases accuracy, and orchestrates processes to operate autonomously 24/7. RPA will play an increasing role in financial crime solutions,” says Holzenthal. 

Prior to the pandemic, traditional business continuity and disaster recovery plans generally assumed technology and offices would take a hit, with backup systems and office facilities seen as the solution. This has been turned on its head, with technology proving to be the solution and backups and offices redundant. 

As for the core operational systems themselves, there should be no surprises in terms of their functioning during the stress or unusual circumstances of the pandemic if they have been properly tested, says Iosif Itkin, co-chief executive and co-founder of Exactpro – named Managed support services provider of the year. Outages and unusual peaks in transaction load, numbers of connections or asset prices are something that complex distributed systems, such as banks’ capital markets systems, are innately prone to, he says.  

“There is a certain level of technology sophistication that gives a system so many degrees of freedom that the uncertainty around its behaviour makes failure a question of when, rather than if,” he says. Rather than trying to predict future circumstances, technology platforms should be stressed to their limits, with rigorous checking for monitoring and alerting mechanisms, and system failover capabilities. “Instead of waiting for a catastrophe to happen, we emulate it during our tests, thus providing stakeholders with the information on the real state of the platform and its readiness for the unexpected,” says Itkin. 

Furthermore, mission-critical financial software is usually part of bigger infrastructure with multiple gateways and end-points, some of which likely support external connections to many users or automated services in other platforms. So checking performance under high volumes should be an integral part of testing regimes to ensure systems are ready for an increased number of connections and spikes of activity within them, such as those prompted by the massive move to remote working during lockdown, says Itkin.

Read more about the Risk Technology Awards 2020 winners