Third party risk compliance is a hot topic for banking regulators. They continue to hand down regulatory guidance and level enforcement actions against banks for not having enough oversight or service governance of customer interactions with ecosystem partners. Garnter noted that banks spend the least amount of their risk management resources overseeing the daily activity of their partnerships, which is when the majority of compliance issues take place.
Our CEO and founder Alfred (Chip) Kahn and President Tim Attinger sat down for a Q&A on the state of bank-fintech partnerships and the regulatory climate, and offer thoughts on what needs to be done to mitigate risks that cost customers and impact the bottom line.
Q: What is your reaction to the guidance on third-party partnerships and risk, holding banks responsible for what their third parties do regarding service governance, CX and compliance?
Tim Attinger: What we've seen is that, for the first half of 2024, the back end of 2023, regulators have been interventionist in many ways with respect to banking.
The increased capital requirements on banks of all stripes, particularly mid-market firms, led to a contraction into a risk management coverage mode. Regulators, in an increasing interest rate environment and following several bank failures, have really enhanced their focus on bank operations. One major way they've done this is by looking at distributed risk in financial systems, one of which is third-party solutions delivered under a bank banner.
If you're a business owner in a bank, it makes sense to not make everything in-house. There are off-the-shelf solutions that make sense to sell to commercial and consumer clients. The flip side is that while you're selling them under your name, you're not actually delivering the service. Regulators have issued guidance that says you're on the hook for what your partners do with your customers.
Fortunately for them and for us, our platform at OvationCXM delivers not only that service governance oversight but also the ability to optimize that ecosystem and grow differentially in the marketplace because you can deliver a uniquely bank-branded experience through it.
Chip Kahn: Yes, I agree with all of that. I would add that when you look at what's happening and the reasons behind all this regulatory attention, one is the current administration's stance on innovation, which is stifling it. That is a fact, and it's reflected in the regulatory perspective.
The second is that this really started with banking as a service from embedded finance. When services started getting embedded in the software consumers and businesses use daily, regulators took notice. I heard a few weeks ago that seven banks were served notice to stop. This relates back to my first point—how are they supposed to innovate? This is a major opportunity to provide more financial access and better solutions to small businesses and consumers, yet the government is getting in the way. Embedded finance and banking-as-a-service fundamentally mean working with third parties.
This third-party risk focus emerged from banking as a service efforts. While it's important, we argue that more attention needs to be on the ongoing management of third parties, not just their initial certification. The certification process is extensive, but real-time monitoring is necessary. Customer complaints often come in via Excel sheets and emails, managed in Microsoft Office. There's no structured workspace or real-time data pipelines, which is what the industry needs. Especially in commercial and small business banking, where many products come from third parties, there is going to be more scrutiny.
What are bankers telling you about the challenges of overseeing their ecosystem in this regulatory environment?
Tim Attinger: In a regulatory environment where I'm responsible for the actions of my third-party partners as a compliance risk management executive inside a bank, I'm flying blind. I've got SLAs, and I only know something's wrong when it happens. I receive monthly reports after the fact instead of real-time data that I can act on and perhaps mitigate issues before they escalate.
This has created a regulatory burden and a headache for those parts of the bank responsible for compliance, but it has also created opportunities for business owners. They can use tools like our CXM platform, which provides real-time oversight and management. It allows them to distribute access to third-party solutions and democratize banking access across a broader population of clients because they have the visibility and ability to orchestrate actions as if these third parties were part of their organization.
In every challenge, there's an opportunity. We're seeing both sides of that in our market conversations.
Chip Kahn: Yes, we tend to spend more time with line-of-business owners who are responsible for their P&L. One of the major challenges for P&L owners in banks is the compliance department. There's a push and pull between the business owners trying to drive new business and the risk and compliance teams determining acceptable methods.
We propose a solution that enables business owners to achieve their goals while providing the compliance team with the real-time visibility they need. This way, they can work together as partners to drive the business forward rather than having an adversarial relationship. The tension is important, but it doesn't have to be. We believe there's infrastructure that can help solve this.
Why specifically is the lack of ongoing monitoring of third-party partners a problem?
Tim Attinger: I'll talk to the business side of it for a second. Every interaction with your organization is revenue-accretive or attrition-driving, right? I mean, my experience of a bank after I've signed up for something is my ongoing experience of using the product. And if that third-party product goes poorly, my experience goes poorly. Then my impression of the bank goes poorly. So it increases the risk of revenue loss. It increases the challenges and growth.
I would say that we see the same thing from a risk perspective, which is that if you're not managing the ongoing delivery, you're not actually capturing the true risk to your business.
Chip Kahn: The systems on all sides of this equation haven't been built. The existing systems haven't been built to solve this which is why you end up with spreadsheets and phone calls and very antiquated ways of looking at it. It’s as far as can be from AI and where we are today.
There are service providers that serve multiple banks. They have data that could be considered complaint data co-mingled with other banks. They can't track any of it. They've done that for their own operational efficiency. So, as a bank establishes relationships with these third parties, they really need infrastructure that can provide real-time visibility, collaboration, and communication to address and monitor ongoing activities.
If you have a good system, that system is also going to apply pattern matching and use AI to flag things. This is not customer-facing. This is about recognizing, at scale, issues happening in the ecosystem. And that's a great internal use case for AI. The infrastructure you put in place should have all of those things.
Tim Attinger: It should. I would argue one more point worth making. As banks and their third-party providers open up visibility to each other on what they're doing with shared customers, the outcomes are better for both organizations and for the client. So, it's not so much about a bank watching what a partner does. It's about both working together because they’re ultimately on the same team to deliver a solution to a client that brings both of them revenue and reputational benefit in the marketplace. We see that as much more of a win for both sides than an adversarial vendor-client relationship from a financial institution standpoint.
What are the steps you recommend to use AI in third-party risk management?
Chip Kahn: Step one is getting all of the influx data that's across your ecosystem into a place that you can apply AI. We've been referring to as infrastructure; I would call it data aggregation. That's what OvationCXM does at some level. We talk about orchestration, but we are aggregating data so we can orchestrate. Once you've aggregated the data, then you can start to look at anomalies and specific use cases. For example, someone rolls out an update to a product, and there are a lot more issues or complaints. When more cases are created, you can flag it. When there's a high level of volume, the value of AI is, it can identify things in milliseconds that would take humans maybe a day to identify. It’s the time it takes us to read, synthesize, and process it versus a machine doing it.
I think there's great opportunities once you've got a good data aggregation partner. I'm not talking about the Plaids of the world; I'm talking specifically about CXM platforms, like ours, that help manage customer experiences. You can drive workflows that identify and proactively alert a bank to investigate something. Or notify the service provider that their banking partner is going to get more complaints, which is not good for anybody especially for the end customer, which is what we should all be focused on.
Tim Attinger: Another fascinating use case for AI we've seen is super powerful. When an account manager, senior executive, business line owner in a bank is going in to see Client X, Corporate Customer Y. And they need to know what's going on with them? Where are they in journeys? How are we doing with them?
Let me tell you what that experience looked like before the CX platform that we deliver. They have to go through about 15 different systems and talk to about 30 different people. Or read email threads that are 75 pages long trying to piece together what's been going on with this client, including what's going well, what isn't and getting a snapshot of client health.
Instead, with the aggregation of data you have for the orchestration that we provide, you can apply an AI engine to give a quick, unbiased paragraph or two on where things are at with this client. You can get answers to: what's happening? What journeys are they on? How's it going? Where have we won? Where have we stumbled? What could we do better? All in a handful of seconds. That is a powerful, powerful use of AI that isn't customer facing. It's internal facing, but it absolutely changes the game for how you compete in the marketplace as a bank.
How can AI be used along with your CX platform to manage complaint journey flows?
Tim Attinger: The same capability that provides a quick AI summary of how a bank is doing with a client can deliver to a compliance officer information about what went massively sideways with a client, how and why, and what are we doing to remediate? What's our next best action to make sure it doesn't happen again?"
It’s the same aggregation of data, using tons of journey information and interaction data to summarize what happened over the past 30 or 45 days with this client, the timeline of a journey this client was on, where things fell apart, and where we stumbled or our partner stumbled.
Being able to piece that together by applying a generative model to existing journeys and client data is a huge improvement over the way it works today. Today, I round up 50 people, look through a ton of emails, and it takes a week or more to learn what I could have found out from a system like OvationCXM in 30 seconds.
The application of our platform has been primarily against business owners who are trying to drive results in the marketplace through an increasingly distributed ecosystem delivery model where there are partners and banks have to manage them as if they're them.
The same infrastructure that drives all those great business results—increased revenue, lower attrition, higher NPS, lower costs for the bank, and lower costs for the partners because of the efficiency in that interaction also accrues to the compliance and risk folks who need to be monitoring how well that partner is doing against the obligations that we've set for them at the front end. Risk management and compliance can monitor that through the same platform because it's all the same data.
Two questions it can be used for are 1) How do we grow? And 2) how do we make sure we don't stumble? Both parties, the business line owner and the compliance officer, are interested in that same outcome.
What would you say to IT leaders about managing risk with OvationCXM?
Tim Attinger: Banks already have legacy investment in a ton of existing, relatively brittle and not fit-for-purpose systems. How does adding OvationCXM help without creating more headaches?
We get most of the experiential data we need from a handful of existing market standard systems to which we've already built pre-integrations and rules around data aggregation and data synchronization. We're an overlay for the systems banks have today. You don't have to rip and replace anything to change the way a customer experiences the enterprise. All bank IT leaders have to do is lay us on top of the legacy systems and let us orchestrate the activities of siloed organizations inside your company, their systems and third-party external partners.
This provides a true end-to-end management construct across what would otherwise be a distributed siloed mess.
Today, without our platform, a customer traversing that distributed siloed mess feels it; it is painful. OvationCXM empowers you to make it a purpose-built, managed, orchestrated, and intentional process for the customer to accomplish something with your enterprise.
We have additional articles that dig deeper into banking compliance around third-party partnerships and the capabilities banks need to mitigate risk.
Taming Third-Party Risk in Banking Ecosystems
How to Reduce Service Governance Risk with Real-time Data