Professional Documents
Culture Documents
In this paper, we focus on the integrated risk management aspects of retail banking. The
scenario provides one specific example within retail banking, the Account Originations
process, out of a broad set of integrated risk management scenarios. Within Account
Originations, we highlight regulatory compliance, fraud risk, and credit risk management
procedures and best practices.
An increased focus on credit risk, fraud, and compliance for retail banks
The 2008 credit crisis showed a fundamental breakdown in risk management exposing retail
banking. This was due to a number of factors, including:
Ample credit availability
Weakness in risk culture
Lack of executive-level risk governance and oversight
Lack of integration and complexity
The credit crisis and rising financial crimes from the digital economy resulted in cross border
coordinated regulatory and agency oversight. Growth in the digital economy has seen a
proportional rise in all categories of fraud over the recent decade:
A significant rise in mortgage fraud during the real estate bubble arising from easy credit.
The post-2008 crisis saw the emergence of fraud in the application of federal stimulus and
home foreclosures.
The emergence of an underground economy monetizing stolen identities, illegal
transactions, phishing, and other financial crimes are causing losses in retail banking.
US financial fraud
Number of suspicious-activity reports filed, '000 800
Other
Consumer-loan fraud
False statement
Identity theft
Credit/debit-card fraud
600
Mortgage fraud
Check fraud
400
200
Money laundering
0
1997 98 99 2000 01 02 03 04 05 06 07 08
Source: US Financial Crimes Enforcement Network
1
Source for the preceeding facts in this section: Kroll, Association of Finance Professionals and US Financial
Crimes Enforcement Network
The case study that we describe in this paper includes the following key actors and roles:
Thomas Arnold, Chief Operating Officer, JKHL Bank
Sandy Osbourne-Archer, Chief Technical Architect, JKHL Bank
Geoffrey Carroll, Banking Industry Architect, IBM
In a conversation with Sandy Osbourne-Archer, the JKHL Bank’s chief operating officer,
Thomas Arnold, outlines the company objectives and business requirements. Thomas and
Sandy agree that in recent years, JKHL Bank has become a leader in retail banking and has
In order to make their banking operations more profitable and achieve these business
objectives, Thomas and Sandy agree to recruit IBM to analyze its existing business
processes and provide recommendations for a business transformation. This IBM team is led
by Banking Industry Architect Geoffrey Carroll.
Note: Although the mortgage origination process is analyzed in this section, the suggested
refinements are applicable to any Account Originations process.
Prepare for
Underwrite Closing Loan Loan
Loan Closing Funding
The underwriter receives the Loan conditions are cleared Communicate with closing
loan app from the queue. or loan is amended as agent and schedule a Contact closing agent,
Reviews all available info on needed. If borrower accepts closing date. Generate prepare wire information,
borrowers and creates loan loan offer, app is routed for closing docs, review file for obtain any pending docs to
conditions. If mismatch with drawing up docs. If loan is completion and send to satisfy loan conditions and
supporting documentation. not accepted or approved Loan Closer for funding. release funds. Send file to
The underwriter also reviews on amended terms, loan is Role: Document post funding queue for final
borrowers credit and fraud denied and routed to non- Coordinator/Loan Closer checks and storing file in
reports and determines if funded loans process. repository. ...
further investigation is Role: Loan Processor
needed. If info submitted is
sufficient to make a decision,
then the loan is
approved/denied/submitted
for counter offer.
Role: Underwriter
Geoffrey recommends two main processes for re-engineering: Setup Loan and Underwrite
Loan.
Review and
verify borrower
and co-borrower's Review and Order Credit
information is verify Report and
complete property Appraisal
information
is complete
Text
Conduct Mortgage
Due Diligence Text Complete Loan
Setup and Route
Text
to appropriate
underwriting
department based
on business rules
The Conduct Mortgage Due Diligence sub-process can be broken down into two parts: one
that addresses regulatory compliance checks, and one that addresses fraud and credit
checks.
Financial Investigative
50.0% Yes Unit (FIU) to check
Check id match and/or applicant information
relationship match further and confirm
with individuals on match
OFAC, PEP, 314A
(suspected terrorist)
and internal fraud 50.0% No
lists and Generate
KYC Risk Score If match with
50.0% Yes OFAC 314A, PEP
or internal
bad list
KYC Score presents a risk score based
on borrowers information such as:
entity type (enterprise, individual,
charity org.), demographics, identity
50.0% No information.
New
customer?
50.0% No
Challenges addressed
This sub-process addresses the challenges with the existing business, as outlined by
Geoffrey Carroll in “Observing the existing business” on page 7:
The bank needs a more effective way to isolate the most suspicious applicants and reduce
the number of manual investigations and false positives.
With newer business channels such as online and mobile, fraud opportunity is much
greater, leading to increased regulatory compliance needs.
An inability to confirm that all identity and fraud checks have been completed, since tasks
are currently manual and dependent on account processors.
Deny
Fraud Checks Application
Fraud Checks via Credit Checks
50.0% Yes
predictive analysis
Challenges addressed
This sub-process addresses the challenges with the existing business, as outlined by
Geoffrey Carroll in “Observing the existing business” on page 7:
Current tools support only simple fuzzy logic matches, leading to inaccuracies in
identifying potentially fraudulent applicants.
A limitation in enterprise data and analytical tools has forced the focus on transactional
fraud, rather than preventive techniques.
Manual intervention is prevalent in automated parts of the Account Originations process
for simple-to-critical decision making.
The post-funding audit process is lengthy and time consuming due to missing compliance
documentation.
50.0% No
Is there a
discrepancy
based on
application
information
and supporting
docs?
Continue
processing by
validating
Determine loan
property liens,
pricing and
tax information,
validate loan
appraisal, etc.
product
50.0% Yes
50.0% No
Using the IBM Banking Payments Content Pack for WebSphere, Geoffrey estimates JKHL
Bank can save about 30% of the time from the business analysis, design, and development
cycle of the solution.
DS DS
DS DS
OD OD
DDA
ATM DS DS
CF
AML Case Management
Mobile DS DS
OD OD
App DS DS
Commercial
Credit Card Case Management
Online
Credit Card
Identity CM
eCommerce CM
Lending Systems
Relationship
Manager
ACH/Wire CM
Geoffrey then outlines JKHL Bank’s architectural principles for redesigning this solution:
The channel architecture/presentation layer will be lightweight, with business logic held in
the middleware layer or application servers.
The middleware layer will be the integration vehicle between applications and the standard
user interface, and will provide services that will enable those interactions.
The solution will be service-oriented.
Applications will be built as services or collections of services, to maximize business
flexibility and agility.
Applications will locate services through a registry.
Applications will interact with the SOA infrastructure according to agreed (and
documented) behavior.
Service levels covering performance and availability will be defined and agreed by all the
stakeholders and stated in business terms
Services will be used to access data (no direct coupling to data stores).
Need for a robust SOA infrastructure for rapid, flexible Patterns to apply:
application development and to reduce costs. Rapid Development and Integration
(Service Creation) pattern: IBM Rational®
Need for reuse of existing assets and services. Rose® Data Modeler, Rational Software
Architect.
Need to secure, manage and govern services across the Connectivity pattern: IBM WebSphere
enterprise for an optimal operational environment and success Message Broker, IBM WebSphere Service
with future SOA based projects. Registry and Repository.
Security pattern: IBM Tivoli® Directory
Server, IBM Tivoli Federated Identity
Manager, IBM Tivoli Access Manager.
Management pattern: IBM Tivoli Composite
Application Manager for WebSphere
Application Server, IBM Tivoli Composite
Application Manager for SOA, IBM Tivoli
Monitoring.
Governance pattern: IBM Rational Asset
Manager, IBM Tivoli Change and
Configuration Management Database, IBM
Rational Method Composer
Identity Insight
(Perpetual, Streaming, Real-Time Analytics)
New
Each new applicant compared to
Applicants
key historical holdings instantly.
2 Degrees
#9453 #9453
1,000s
of Marc Bob Bob
Alert!
#6111 #6111
sources #9453
CHKG: 4921011 e e
egre egre
SAVG: 5212110 1D 1D
MORT: 8585821 John John
CARD: 9653233 #2969 #2969
Applying the Risk Analytics business pattern for KYC and fraud risk
predictive analysis
The Risk Analytics pattern is applied specifically for KYC and fraud risk predictive analysis to
address the following challenges:
JKHL Bank needs an automated and consistent solution to:
– Risk assess all new customers for KYC regulatory requirements.
– Effectively screen all applications for applicant, property appraiser, and financial fraud.
Business Intelligence
Development
Marketing
Fraud AML Corp. Security
Legal
Paym
Mort
On-li ng
Depo
bank
Insid
Cred
OF
Card
gage
BSA
ents
ne
i
er
it
sit
No Yes
FIU
Review
Required? Order validation rules
Fraud detection rules Rule
Computation rules Repository
Conduct
Credit Risk Route to FIU
Analysis
Technical problem
JKHL Bank’s environment is tightly coupled and contains many point-to-point connections
between several business applications, making it inflexible to change current systems and
easily add new ones. The bank needs hundreds of project hours to make changes to their
existing monolithic, home grown, and heritage applications to meet new business
requirements. Integrating these heritage applications with front-end applications is also a
challenge. Additionally, because JKHL Bank acquired and merged with other banks over the
years, applications and data became even more disintegrated.
The ESB provides support for multiple protocols and message formats between applications
at the channels and corporate data center. IBM Information FrameWork provides the initial
services design using the Financial Services-Interface Design Model (FS-IDM) to provide a
common service language for JKHL Bank.
Enterprise
Information
Process Manager Systems
Banking Industry
and Analytics Master Unstructured Data
Data Data
Models
Mgmt
Technical problem
JKHL Bank needs an integrated and centralized SOA security policy management across all
endpoints for interactions with service requestors and providers. The bank needs to manage
identities efficiently, and this identify information must be available across request flows
(including access to services on z/OS®). The security of transactions is important to JKHL
Bank, and they must assess compliance to their business policies.
Business value-of-adoption
By adopting a federated security approach, JKHL Bank can secure its environment
end-to-end, control access to its back-end systems, and comply with security policies across
all business applications.
Technical problem
JKHL Bank wants to manage composite applications efficiently, which includes life cycle
management, business processes, transactions, Web services, and interactions with
partners. The bank needs to monitor transactions closely, which includes services on z/OS.
Contextual information must be available for critical points in the flow. The bank needs the
ability to specify service level agreements (SLAs) and monitor and report them.
Business value-of-adoption
By implementing a mechanism to perform event correlation across IT tiers, JKHL Bank
reduces time for problem determination. For example, if interaction services or business
partner services are down, less time is spent in analyzing events that the middleware emits.
Management of systems on z/OS helps to detect and isolate problems quickly when they
occur on complex CICS systems. Integrating, automating, and optimizing data, workflows,
and policies helps JKHL Bank align the ongoing management of its infrastructure with its
business.
JKHL Bank now complies with government, banking, and regional regulations, such as ITIL®,
SOX, and Basel II. To regulate the creation of new services with future SOA projects, JKHL
Bank implements a centralized registry and repository, using a combination of Rational Asset
Manager, WebSphere Service Registry and Repository, Tivoli Change and Configuration
Management Database, and Rational Method Composer.
JKHL Bank has now reduced exposure to litigation and is trusted by its customers and
partners by following banking, government, and regional regulations.
Solution architecture
By applying the SOA patterns, Geoffrey Carroll (with his team of IBM consultants) and Sandy
Osbourne-Archer can define a proposed solution architecture for JKHL Bank. This is shown
in Figure 15 on page 33.
Data Integration/
FICO
Customer Information Services Credit
Analytics
Banking Industry
Scores
Rich
Client
Relationship Threat &
Models
Master Content Demographic
Fraud
Managers/ Insight Data Mgmt Data
Agents Mgmt Systems
3rd party
3 Credit Risk
Analytics
Party
Data
Customer Document
Account
Account Mgmt
Product
Product Systems
Business
Insight
Banking Unstructured
Mobile Data
Data
Data
Banking Marts
Warehouse
Insight &
Analytics Data
Data
1 Warehousing
Warehousing Information
Foundation
4
Security,
Governance
Management
& Monitoring
& Governance
Rapid Development & Integration
Geoffrey Carroll describes how the SOA business and infrastructure patterns relate to this
solution architecture. The numbers shown in Figure 15 relate to the following SOA patterns:
1. The Insight and Analytics component of the solution architecture uses the following SOA
patterns:
– Entity Analytics business pattern
• Strengthens Account Origination processes by the use of strategic concepts such
as identification and relationship resolution, and fraud detection.
• With integrated identity and transaction information, case workers focus on decision
making and not querying multiple systems.
– Risk Analytics business pattern
• Provides access to a thorough and holistic view of a customer’s credit exposure, so
loans can be originated in-line with tighter lending standards.
• Improved analytics by integrating predictive analysis with identification resolution,
providing the bank with early detection of risky applicants and better control on the
risk exposure.
Summary
By adopting the business and infrastructure patterns roadmap, JKHL Bank can construct a
solution to improve top-line growth, reduce costs, reduce operational risks, and improve
customer experience.
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult
your local IBM representative for information on the products and services currently available in your area. Any
reference to an IBM product, program, or service is not intended to state or imply that only that IBM product,
program, or service may be used. Any functionally equivalent product, program, or service that does not
infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to
evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The
furnishing of this document does not give you any license to these patents. You can send license inquiries, in
writing, to:
IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY 10504-1785 U.S.A.
The following paragraph does not apply to the United Kingdom or any other country where such
provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION
PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of
express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made
to the information herein; these changes will be incorporated in new editions of the publication. IBM may make
improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time
without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any
manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the
materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring
any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products and cannot confirm the
accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the
capabilities of non-IBM products should be addressed to the suppliers of those products.
This information contains examples of data and reports used in daily business operations. To illustrate them
as completely as possible, the examples include the names of individuals, companies, brands, and products.
All of these names are fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrate programming
techniques on various operating platforms. You may copy, modify, and distribute these sample programs in
any form without payment to IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating platform for which the sample
programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore,
cannot guarantee or imply reliability, serviceability, or function of these programs.
The following terms are trademarks of the International Business Machines Corporation in the United States,
other countries, or both:
ITIL is a registered trademark, and a registered community trademark of the Office of Government
Commerce, and is registered in the U.S. Patent and Trademark Office.
Java, and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other
countries, or both.
Other company, product, or service names may be trademarks or service marks of others.