Retail Banking – delivering for consumers? - Deputy Governor Ed Sibley

The Banking & Payments Federation Ireland (BPFI) - National Retail Banking Conference – “Delivering for the Customer’ 12 November 2019.

Introduction¹

Good morning ladies and gentleman. I am delighted to be here today at the Banking & Payments Federation Ireland (BPFI) Annual Retail Banking Conference.

The theme of the conference “Delivering for the Customer” is clearly important – arguably never more important, given the low levels of trust that customers have in the retail banks operating in Ireland.  Indeed, this is so problematic that an entirely new organisation, the Irish Banking Culture Board (IBCB), has been set up with one overriding mission: “to make banking in Ireland trustworthy again.²” While not unique to Ireland, it is remarkable that this is necessary. 

Moreover, as is evident from the agenda of and speakers at today’s conference, the approach to delivering for your customers is undergoing fundamental change. 

The Central Bank’s mission is to serve the public good by safeguarding monetary and financial stability and working to ensure that the financial system is operating in the best interests of consumers and the wider economy. 

The Central Bank’s aspiration is for a functioning financial services system that sustainably serves the needs of the economy and its consumers. This requires functioning and trustworthy financial markets and firms.  It also requires that the financial system and firms operating within it are resilient – this resilience being a fundamental aspect of protecting consumers. The functioning of the retail banking market and how it delivers for its customers is clearly important to the delivery of this aspiration. 

Today, I am going to focus my remarks on:

1. The theme of delivering for your customers, and the continued dissonance between what you say and what some of your customers’ experience. I will highlight that delivering for your customers requires more than branding and marketing slogans – being trustworthy requires you to deliver in line with them on a consistent basis. 

2. Technology risk, noting that more needs to be done to build operational resilience at the same time as developing innovative solutions to deliver in line with your customers’ needs. 

3. Some of the environmental issues facing the retail banking sector - encouraging you to take a long-term view in building sustainable business models, such that the foundations of the Irish retail banking sector are strong enough to continue to serve the needs of your customers over the long term.

Delivering for the customer

So let me start with your customers and how you say that you are delivering for them.   You are:

• “backing brave”;
• “providing help for what matters”;
• the “bank of you”; and
• encouraging customers to “begin” or “keep going”.

All admirable sentiments, doubtless carefully considered, expensively developed and suggestive of a desire for a deep and long-lasting relationship between bank and customer.

However, the real test of a relationship is not when things are new and going well, but over the long term, including when difficulties are experienced, when there are bumps in the road.  In circumstances when trust is low and one party in the relationship has repeatedly resisted doing the right thing, one has to question the future of that relationship.

On too many serious issues – such as tracker mortgages, non-performing loans, some Brexit preparedness issues - the Central Bank has had to push too many retail banks too hard over too long to actually put your customers first.  Too often in the recent past the retail banks’ behaviours have not been consistent with your slogans and your stated desire to build trust and have long-standing relationships with your customers.  

Looking at one crucial market today, the mortgage market, there is a high reliance on inertia to enable sizeable differences in interest rates to persist between new customers and existing ones.  The Central Bank has acted to ensure that customers are informed if their provider is offering cheaper interest rates³, but switching remains low.

Furthermore, sustainable resolution of mortgage arrears has required determined and ongoing Central Bank intervention to protect consumers’ interests.  I spoke at length on this topic at MABS’ national conference last week⁴, so I will only touch on it briefly.  It is disappointing that today the Central Bank is still having to push banks and non-banks too hard to take a customer centric approach to resolving arrears.

The Central Bank does not have a preference for loan sales.  We have a preference for sustainably reducing non-performing loans.  There are multiple tools available, including: re-engaging with borrowers, restructures, accounting write downs, mortgage to rent, engaging through the Insolvency Service, sales and securitisations and the legal process.  Your commitment to delivering for your customers must continue to extend to those that are in difficulty if you truly want to be considered trustworthy.  

Workouts remain hugely important.  Banks need to engage with their customers in a sensible and proactive manner with a view to finding long-term solutions that work for both parties. A sustainable restructure is good for the borrower and for the lender, including in retaining interest income.  These long-term benefits are not always being given sufficient prominence relative to shorter-term capital relief.

These issues raise questions in my mind such as:

• How do you truly value the customer relationships your marketing suggests you are trying to build over the long term?
• What do these issues reveal about your commitment to rebuild trust?
• What does it say on your commitment to delivering for your customers when you are still having to be pushed on mortgage arrears?
• What does it say about the sustainability of your concentrated business models that you are relying on inertia rather than proactively looking after your loyal customers?

These are not idle questions.  The threats you face are not just from technology changes, and from environmental factors.  They also arise from the extent that your customers trust you, particularly as competition increases, as delivery fragments and different relationships evolve.   

If you truly believe that relationship building and trust are important for your long-term success, further change is needed.  The Central Bank will continue to require you to do so in line with and to the edge of our mandate (for example, see recommendations in the 2018 Behaviour and Culture Report⁵) and our work on developing a Senior Executive Accountability Regime⁶), but you also have to genuinely and meaningfully want to.  Retail banks have a responsibility to not just focus on the letter of the law⁷, but also act in line with your stated values and marketing.

Going beyond the bottom line and demonstrating your value to Irish society would be worthwhile.  Meaningfully intervening to improve financial education and literacy across Ireland, helping people make smarter decisions, could be a good place to start. 

Financial innovation and technology risk

Technology change is disrupting the landscape of financial services. The competitive landscape is changing, with new entrants, new business models, a race by incumbents to invest in developing the necessary capabilities, and in many cases the potential for a fundamental disruption in the value chain of traditional financial services firms and sectors. Moreover, it is becoming ever more evident that data, and the harnessing of it, is the new currency of this new digital age⁸.

Technology developments have:

• exponentially increased the proliferation of data and the speed with which it can now be analysed and processed;
• changed customer expectations of functionality; and
• increased outsourcing of technology services, including cloud storage. 

If the current pace of change is anything to go by, the future is a vast unknown where only those able to adapt at pace will be able to survive.  Indeed, it is arguable that there is no part of the traditional financial services value chain that cannot be done better, smarter and more effectively. 

Technology will also potentially affect retail banks’ balance sheets.  For example, new digital apps allow depositors to switch banks by clicking a few buttons, reducing the reliability of deposits as a source of ‘sticky’ funding⁹.

In my role, I welcome the opportunities for the financial services system to better serve the needs of the economy and its customers, but I am also mindful of the risks.

The pace of change, together with the borderless nature of technology, does require an appropriate level of caution to be taken, through financial services firms taking risk-based approaches to strategic and business initiatives.  Financial services firms need to make informed choices about where and how they are going to adapt and make sure that the associated risks are understood, considered, and measured as they make changes to their processes and business models.

The Central Bank considers these issues in a number of different ways, working from the top down through the lenses of strategy, governance, oversight, risk management, and so on; and from the bottom up focusing on the management of the technology itself, and the broader topic of operational resilience.

It is fair to say that while we see some good practices, both in incumbent banks and challengers, we also continue to see significant issues. 

Strong Foundations

There remains a need for substantial investment in Irish banks’ technology and data capabilities. Many banks still use outdated and fragmented IT systems. The foundations are not yet sufficiently strong to effectively manage the technology risks.

Delivering for your customers requires that your systems and data are available, reliable and secure. You must continue to strive to reduce the frequency and impact of issues and have an ability to recover quickly from them. Operational resilience is critical.

Boards and senior management need to take responsibility for safeguarding the trust in and reputation of their organisation by prioritising the security, resilience and use of their data and systems.  As well as espousing a digital strategy for the future, incumbent and challenger banks need to ensure:

• the IT risk management and IT security arrangements are sufficiently robust;
• all IT assets are actively managed, including through risk assessments to adequately understand the threats and vulnerabilities to them;
• all the systems and processes that support your business services, including all the third-party relationships, are understood and being actively managed;
• their IT risk profile is understood and consistent with the overall bank’s risk appetite; and
• IT strategy is aligned with the business strategy.

As outlined in the Central Bank’s Guidelines on Information Technology and Cybersecurity Risks¹⁰ Boards and senior management across the financial services sector need to more actively engage in the oversight of technology risk.  This requires having both the necessary skill set and mindset at these senior levels to understand the evolving technology landscape and make informed decisions about it.  The technical changes that are sweeping through financial services need to be accompanied by governance and risk management changes. 

Cybercrime is constantly evolving – the frequency, sophistication and volume of attacks is increasing. The failure to adequately protect against cyber-attacks can have far-reaching repercussions given the interconnected nature of the financial system¹¹. Retail banks need to continue to invest more to increase resilience to service outages and cyber-attacks, as well as to keep pace with services offered by new financial technology firms.

Data

Data has the potential to revolutionise banking.  However, this can only happen if the data are reliable and available.  From our on-site inspection work, we have identified many weaknesses in firms’ abilities to effectively understand, use and report on their data¹².  Firms must have reliable data if they are to rely on it for critical intelligence and decision-making.  Those that manage this transition best are likely to be the firms that survive and thrive.

Digitalisation brings with it data responsibilities.  Data is being collected and stored in non-traditional manners.  The onus is on institutions to have adequate safety nets in place to protect consumer data.  Additionally, there is a responsibility to use it to get the best outcome for all stakeholders – to not to use the advantages of big data to the long-term detriment of customers.

Outsourcing

Outsourcing remains a key focus area for the Central Bank¹³ due to its extensive use across financial services firms. While it is possible to outsource a service, you cannot outsource the risk.  The responsibility and accountability for ensuring security and resilience of a firm’s data and services remains firmly with its board. 

In too many cases, the Central Bank is still finding significant issues in the management of outsourcing arrangements, including:

• poor governance and controls around the risk assessment and management of outsourcing;
• inadequate monitoring and reporting;
• failure to consider third-parties in business continuity plans and tests; and
• a lack of exit strategies or contingency plans should the firm need to find a new service provider or bring the service back in house. 

These issues are concerning given that a large proportion of outsourcing arrangements involve sensitive customer and business data, including to cloud service providers.

With all outsourcing arrangements, boards and senior management must understand that they are placing the resilience of their firm into the hands of a third-party and while they may be able to monitor the service during normal operation, when something goes wrong, they are reliant on someone else to fix it.  Some firms might seek to take comfort from the fact that they outsource to a parent or group company rather than a third party, but, as has been seen with a number of high-profile events, firms cannot always rely on the parent to provide uninterrupted service.  Boards and senior management need to understand where their firm’s systems and data sit on the group priority list should something go wrong.

Central Bank’s approach

Irrespective of what technology is being used by banks, the same principles of regulation and supervision, including the rules of the Consumer Protection Code, apply to both digital and traditional delivery channels.

In issuing the Cross Industry Guidance in respect of Information Technology and Cybersecurity Risk in 2016, the Central Bank has taken steps to recognise and respond to these risks.  The EBA has also responded to IT risk, issuing guidelines on how to assess IT under SREP in 2017¹⁴, followed by detailed guidelines on how financial institutions should manage their outsourcing¹⁵ arrangements in 2019.  The Central Bank welcomes the EBA’s move to describe the expectations on IT and security risk management for the financial institutions via new Guidelines to be published this November.

The Central Bank’s IT inspection team has significantly enhanced the intensity and intrusiveness of supervision of IT related risk across the financial services sector.  Identified issues are required to be resolved through risk mitigation programmes and we will continue to issue thematic findings from our work to highlight areas for improvement for all firms.  Where necessary we have used our powers to sanction failures and require the use of third parties to help drive improvements.  We have further strengthened our capabilities by implementing TIBER-IE¹⁶, and we will continue evolve our supervisory practices and models to ensure they remain relevant for the developing environment. 

Moreover, recognising the challenges and opportunities that arise from this revolution, we are continuing to enhance our data analytical capabilities, including through investment in our systems, our data collection and restructured the organisation of Prudential Regulation to best utilise our resources.  

Finally, through our ongoing interaction with supervised firms, market monitoring, research, and our innovation hub we seek to ensure that we understand how the financial system is evolving and the associated risks. 

The Developing Environment

In my role on the SSM Supervisory Board, I have the privilege of looking across the Eurozone banking system, seeing the good, the bad and the ugly in terms of business models, financial and operational resilience, and the effectiveness of governance and risk management arrangements.

As well as the trust, technology disruption and operational resilience challenges I have covered already, banks across the Eurozone, including in Ireland, face numerous challenges – including, for example:

• macroeconomic and political risks and uncertainties;
• the low interest-rate environment;
• high cost to income dynamics;
• a continued need to improve governance and risk management effectiveness; and
• the need to enhance resolvability.

Investors are clearly concerned about Eurozone banks’ ability to successfully meet these challenges, as evidenced by low price to book ratios¹⁷.  It is important to note that debt prices have remained comparatively stable across Europe, including for Irish banks.  Thus the market seems to be pricing based on expected returns but not a significant rise in default risk.        

In this environment, banks may face incentives to elevate risk taking to meet return expectations of market participants.  Moreover, the avenue of increasing fee-based income (which is low in the Irish retail banks relative to many European peers) is becoming more challenging due to competition from non-banks.

As income gets squeezed, so the pressure on costs increases.  It is perfectly rationale for banks to seeking to reduce costs, particularly in the face of pressure from competitors with less infrastructure. Board oversight of where costs are being reduced is vital in ensuring that cost cutting is not leading to the risk profile of the bank increasing outside of its risk appetite.

These pressures could lead to an unsustainable, pro-cyclical expansion in credit over time. While risk-taking is not excessive at present, at least in part due to the Central Bank’s interventions, there is some tentative evidence of increased risk-taking in some areas, facilitated by the broader macroeconomic environment.¹⁸

In other words, financial conditions are evolving to incentivise banks to shift up the risk curve, in both credit and treasury portfolios.  For example, Irish retail banks are increasing their exposure to global leveraged finance markets and increasing use of non-price based incentives domestically – such as payment holidays for new mortgages – where the Central Bank has some concerns.  

Regulators have interesting and challenging roles.  They must remember the lessons of the past, assess the risks of today, and look forward to risks and issues that may emerge in the future.  I am acutely aware that future problems will be different to past ones, but history also shows that there are often commonalities.  

There is a program on RTÉ (the Irish national broadcaster) called “Reeling in the Years”¹⁹.  A recent episode focused on 2007, showing footage of the Irish banks’ CEOs giving assurances about risks being well understood, highlighting record levels of profitability, and complaining about being shackled by regulation.  And yes, there was a clip of the Central Bank giving assurance about capital levels.  

While we need to avoid being obsessed with the past, we do need to remember it.  In short, we need to beware the return of hubris.

For our part, strengthening financial resilience is a key supervisory priority area in 2020^v. Two of the key aspects of this are credit underwriting and business model sustainability, which will be the subject of considerable focus in 2020 and beyond.

Conclusion

Retail banking faces a challenging and unpredictable future.  The winds of change are strong, but the fundamental requirements of modern economies and societies would suggest that there will continue to be a need for retail banking services to be delivered long into the future. 

So, while there are risks and uncertainties there must also be opportunities. Taking advantage of these opportunities requires longer-term thinking and investment, by both incumbents and new entrants.  This includes investing in infrastructure, technology, people and culture that will enable delivery into the future. 

It also requires change to demonstrate trustworthiness and that you are committed to delivery for your customers beyond short-term acquisition.  The Central Bank’s expectation is that banks’ operating models are more than technology and innovation driven. As outlined by my colleague Grainne McEvoy²⁰, the greatest risk to consumers comes not from technological developments, but from the culture of the firms in charge of the technology.  If you put new technology in the hands of people and firms who are committed to protecting and delivering value for their customers, it is far more likely to result in positive consumer outcomes.

Moreover, delivery for your customers requires that retail banks are financially and operationally resilient, well-governed, understand and manage their risks and have sustainable business models.  Whatever changes come to products, services, delivery channels and customer expectations, these fundamentals will remain of crucial importance and will continue to form the basis of the Central Bank’s approach to the prudential supervision of the retail banking sector. 

Thank you for your attention.
_____________________________________

[1] With thanks to Marie Duffy, Joe McCullough, Micheal Kelly, Padraig Browne and Mary-Elizabeth McMunn for their help in drafting these remarks.

[2] Irish Banking Culture Board: Changing Banking Culture in Ireland.

[3] Central Bank of Ireland: New Requirements Introduced to Provide Additional Transparency and Facilitate Mortgage Switching (20 June 2018).

[4] Sibley, Ed: Building Financial Resilience, address to Money Advice & Budgeting Service (MABS) National Conference (5 November 2019).

[5] Central Bank of Ireland: Behaviour and Culture of the Irish Retail Banks (July 2018).

[6] Rowland, Derville: The Senior Executive Accountability Regime: Our Expectations of Firms, address to IBEC Fraud Prevention Forum (31 October 2019).

[7] Sibley, Ed: Is it legal? A Questions of Culture, address to Eversheds Sutherland Conference on “Leadership and Culture Change in Financial Services” (14 November 2017).

[8] World Economic Forum: Big Data, Big Impact: New Possibilities for International Development (22 January 2012).

[9] Enria, Andrea: A binary future? How digitalisation might change banking speech at the Banking Seminar organised by De Nederlandsche Bank, Amsterdam (11 March 2019)

[10] Central Bank of Ireland: Cross Industry Guidance in respect of Information Technology and Cybersecurity Risks (September 2016).

[11] University of Cambridge Judge Business School: Cyber Risk Outlook 2018

[12] Sibley, Ed: The need for resilience in the face of disruption, address to the Financial Central Summit (November 2018)

[13] Central Bank of Ireland: Conference on Outsourcing (30 April 2019).

[14] European Banking Authority: Final Guidelines on ICT Risk Assessment under SREP (EBA-GL-2017-05) (2017).

[15] European Banking Authority: Guidelines on ICT Risk Assessment under SREP(2017).

[16] European Central Bank: TIBER-EU.

[17] Central Bank of Ireland: Financial Stability Review 2019:I (11 July 2019).

[18] Central Bank of Ireland: Financial Stability Review 2019:I (11 July 2019).

[19] See www.rte.ie

[20] McEvoy, Grainne: Culture and consumer protection: The role of compliance, address to the Association of Compliance Officers Ireland 2018 Conference on Culture Conduct and Compliance (8 November 2018).