Von Gabriella Stratoti

Due to the banking industry’s past events – such as the well-known Adoboli case or the Libor scandal – many regulators expect banks to go beyond the execution of individual controls. They anticipate a more holistic approach by connecting the dots across control results and by taking into account other available data. A so-called ‘holistic monitoring’ program supports a bank to identify potential misconduct at an early stage, which prevents or reduces financial, regulatory or reputational damage. What is ‘holistic monitoring’ and how can it be implemented? 

Let us illustrate the holistic monitoring on an example: Imagine that you are working in a control function of a bank, where you are responsible to perform cross-border controls. You have been in this function for more than two years and every now and then, the same Client Advisor pops up in your control results for not adhering to internal policies. By coincidence, you bump into your colleague, who performs Anti Money Laundering (AML) and Know Your Customer (KYC) controls. By talking to each other, you realize that the same Client Advisor regularly appears in your colleague’s control results as well. You start investigating further and by digging a bit deeper you find out that the Client Advisor has a high number of clients classified as ‘high risk’ from an AML perspective as well as a big share of clients domiciled in strictly regulated cross-border jurisdictions. Combining all this information, you conclude that a potential misconduct of this Client Advisor could expose the bank to a greater risk than originally anticipated. By looking at the various information, the risk assessment can be done more holistically and is hence, more accurately reflecting the potential risks. Such a holistic view should be available in a standardized way. In the following statements, you will find the elements and considerations that need to be taken into account when implementing a holistic monitoring program.

Prerequisites of a successful implementation

Before implementing holistic monitoring it needs to be checked if the following prerequisites are fulfilled:

• The Management of the bank supports the implementation of a holistic monitoring
• The holistic monitoring fits into the corporate culture
• Holistic monitoring does not breach local data protection law
• The frameworks of the underlying individual risks are mature enough to enable a holistic

A process view

The figure below illustrates that holistic monitoring follows an iterative process. The input data and the scoring model that is used is reviewed on a regular basis to ensure the program remains up-to-date and to continuously increase the effectiveness.

1. Definition of input data

• Which risk scenarios should be in scope? What is the risk appetite for these risk scenarios?
• What population of the bank should be monitored for which risk scenarios? Should there, for example, be a different risk coverage for Investment Banking and Private Banking?
• What data is available for the defined risk scenarios and population? What should be the period in scope?
• Which key risk indicators do already exist that can be leveraged for the input data?

2. Development of a scoring model

• Which risk scenarios and input data should have a stronger weight when defining a risk-based scoring model?
• Are there specific constellations that should be weighted stronger than others?
• Can outliers in peer groups or compared to historic data be used as high-risk indicators?
• Which thresholds should be defined for the generation of an output serving as an ‘alert’?

3. Assess output of the scoring model

• Which standard review methodology should be followed?
• What should be the documentary requirements for the review?
• What escalation paths should be followed?
• Are there trends or patterns that have been identified when looking at the output holistically, that require further actions in specific areas?

4. Review effectiveness of the monitoring program

• What model governance standards are defined in the bank? Such as frequency, documentation, key performance indicators?
• Are the risk scenarios and coverage of the population still valid?
• Is the defined input data with respect to new or decommissioned tools still up to date?
• Which risk or data subject matter experts need to be involved in the review?

Organizational structure

A project organization should be in place during the implementation phase. Ideally, the management of the monitored business areas, as well as the management of the second line of defense is represented in the Steering Committee. The project group should consist of representatives from the Data Protection, Human Resources and Legal department. For the definition of the holistic monitoring framework, subject matter experts of the in-scope risks, as well as representatives from the monitored business areas should be involved. Once the holistic monitoring has been implemented, the execution should initially sit in the second line of defense. At a later stage, once the framework is more mature, the execution of the monitoring could be transferred to the first line of defense, for example to a business risk management team.

Management information

Reports of holistic monitoring should only be shared on a need-to-know basis and in an anonymized manner. Certain quantitative information should be available, such as number of alerts triggered and reviewed, how many of these revealed further risks, as well as to which risk scenario and business activity they relate to. In addition, a description of the individual cases should be outlined. The reports should be prepared dependent on three target groups:

• Monitored business areas: Focus on findings
• Monitoring team: Focus on effectiveness of the program and identification of trends or patterns
• Other stakeholders: Such as internal audit.

Communication

Employees covered by holistic monitoring must be informed upfront. Dependent on the local regulatory requirements, a written consent must be provided by the employees. Where worker’s councils exist, it is recommended to liaise with them ahead of the communication to ensure alignment and support.

Data protection

It is crucial to involve the Data Protection Officer during the project phase and the ongoing review. It is important that the interests of the stakeholders and the appropriateness of the data usage are taken into consideration. Access to the data should be limited to a need-to-know principle and access provisions must be reviewed regularly. In case of uncertainties, it is important to actively involve the Data Protection Officer to get his or her expertise and assessment. Data protection must be considered throughout the various elements of holistic monitoring.

Embedding the holistic monitoring in the existing risk management and compliance frameworks

Holistic monitoring is not a ‘stand-alone’ monitoring program. It is rather an additional layer on top of the existing control frameworks of the underlying individual risks. The holistic monitoring program should be aligned to the frameworks of the individual risks.

Autorin: Gabriella Stratoti

Gabriella Stratoti Gabriella Stratoti (BSc BA Finance & Banking, DAS Compliance Management, MAS Economic Crime Investigation) works in the banking industry for more than 15 years and is an expert in the areas of monitoring and controls. She wrote her Master thesis about the concept of holistic monitoring for the banking industry as part of her MAS Economic Crime Investigation. The content of this blog is not related to her employer.

* Die meisten Blogbeiträge erscheinen in Deutsch. Ausnahmsweise erscheinen Beiträge auch in Englisch und Französisch, den Sprachen, in denen Schweizer Expertinnen und Experten in der Bekämpfung von Wirtschaftskriminalität häufig arbeiten.