banking risk research papers

• Open access
• Published: 03 September 2022

A literature review of risk, regulation, and profitability of banks using a scientometric study

• Shailesh Rastogi 1 ,
• Arpita Sharma 1 ,
• Geetanjali Pinto 2 &
• Venkata Mrudula Bhimavarapu   ORCID: orcid.org/0000-0002-9757-1904 1 , 3  

Future Business Journal volume  8 , Article number:  28 ( 2022 ) Cite this article

13k Accesses

2 Citations

Metrics details

This study presents a systematic literature review of regulation, profitability, and risk in the banking industry and explores the relationship between them. It proposes a policy initiative using a model that offers guidelines to establish the right mix among these variables. This is a systematic literature review study. Firstly, the necessary data are extracted using the relevant keywords from the Scopus database. The initial search results are then narrowed down, and the refined results are stored in a file. This file is finally used for data analysis. Data analysis is done using scientometrics tools, such as Table2net and Sciences cape software, and Gephi to conduct network, citation analysis, and page rank analysis. Additionally, content analysis of the relevant literature is done to construct a theoretical framework. The study identifies the prominent authors, keywords, and journals that researchers can use to understand the publication pattern in banking and the link between bank regulation, performance, and risk. It also finds that concentration banking, market power, large banks, and less competition significantly affect banks’ financial stability, profitability, and risk. Ownership structure and its impact on the performance of banks need to be investigated but have been inadequately explored in this study. This is an organized literature review exploring the relationship between regulation and bank performance. The limitations of the regulations and the importance of concentration banking are part of the findings.

Introduction

Globally, banks are under extreme pressure to enhance their performance and risk management. The financial industry still recalls the ignoble 2008 World Financial Crisis (WFC) as the worst economic disaster after the Great Depression of 1929. The regulatory mechanism before 2008 (mainly Basel II) was strongly criticized for its failure to address banks’ risks [ 47 , 87 ]. Thus, it is essential to investigate the regulation of banks [ 75 ]. This study systematically reviews the relevant literature on banks’ performance and risk management and proposes a probable solution.

Issues of performance and risk management of banks

Banks have always been hailed as engines of economic growth and have been the axis of the development of financial systems [ 70 , 85 ]. A vital parameter of a bank’s financial health is the volume of its non-performing assets (NPAs) on its balance sheet. NPAs are advances that delay in payment of interest or principal beyond a few quarters [ 108 , 118 ]. According to Ghosh [ 51 ], NPAs negatively affect the liquidity and profitability of banks, thus affecting credit growth and leading to financial instability in the economy. Hence, healthy banks translate into a healthy economy.

Despite regulations, such as high capital buffers and liquidity ratio requirements, during the second decade of the twenty-first century, the Indian banking sector still witnessed a substantial increase in NPAs. A recent report by the Indian central bank indicates that the gross NPA ratio reached an all-time peak of 11% in March 2018 and 12.2% in March 2019 [ 49 ]. Basel II has been criticized for several reasons [ 98 ]. Schwerter [ 116 ] and Pakravan [ 98 ] highlighted the systemic risk and gaps in Basel II, which could not address the systemic risk of WFC 2008. Basel III was designed to close the gaps in Basel II. However, Schwerter [ 116 ] criticized Basel III and suggested that more focus should have been on active risk management practices to avoid any impending financial crisis. Basel III was proposed to solve these issues, but it could not [ 3 , 116 ]. Samitas and Polyzos [ 113 ] found that Basel III had made banking challenging since it had reduced liquidity and failed to shield the contagion effect. Therefore, exploring some solutions to establish the right balance between regulation, performance, and risk management of banks is vital.

Keeley [ 67 ] introduced the idea of a balance among banks’ profitability, regulation, and NPA (risk-taking). This study presents the balancing act of profitability, regulation, and NPA (risk-taking) of banks as a probable solution to the issues of bank performance and risk management and calls it a triad . Figure  1 illustrates the concept of a triad. Several authors have discussed the triad in parts [ 32 , 96 , 110 , 112 ]. Triad was empirically tested in different countries by Agoraki et al. [ 1 ]. Though the idea of a triad is quite old, it is relevant in the current scenario. The spirit of the triad strongly and collectively admonishes the Basel Accord and exhibits new and exhaustive measures to take up and solve the issue of performance and risk management in banks [ 16 , 98 ]. The 2008 WFC may have caused an imbalance among profitability, regulation, and risk-taking of banks [ 57 ]. Less regulation , more competition (less profitability ), and incentive to take the risk were the cornerstones of the 2008 WFC [ 56 ]. Achieving a balance among the three elements of a triad is a real challenge for banks’ performance and risk management, which this study addresses.

Triad of Profitability, regulation, and NPA (risk-taking). Note The triad [ 131 ] of profitability, regulation, and NPA (risk-taking) is shown in Fig.  1

Triki et al. [ 130 ] revealed that a bank’s performance is a trade-off between the elements of the triad. Reduction in competition increases the profitability of banks. However, in the long run, reduction in competition leads to either the success or failure of banks. Flexible but well-expressed regulation and less competition add value to a bank’s performance. The current review paper is an attempt to explore the literature on this triad of bank performance, regulation, and risk management. This paper has the following objectives:

To systematically explore the existing literature on the triad: performance, regulation, and risk management of banks; and

To propose a model for effective bank performance and risk management of banks.

Literature is replete with discussion across the world on the triad. However, there is a lack of acceptance of the triad as a solution to the woes of bank performance and risk management. Therefore, the findings of the current papers significantly contribute to this regard. This paper collates all the previous studies on the triad systematically and presents a curated view to facilitate the policy makers and stakeholders to make more informed decisions on the issue of bank performance and risk management. This paper also contributes significantly by proposing a DBS (differential banking system) model to solve the problem of banks (Fig.  7 ). This paper examines studies worldwide and therefore ensures the wider applicability of its findings. Applicability of the DBS model is not only limited to one nation but can also be implemented worldwide. To the best of the authors’ knowledge, this is the first study to systematically evaluate the publication pattern in banking using a blend of scientometrics analysis tools, network analysis tools, and content analysis to understand the link between bank regulation, performance, and risk.

This paper is divided into five sections. “ Data and research methods ” section discusses the research methodology used for the study. The data analysis for this study is presented in two parts. “ Bibliometric and network analysis ” section presents the results obtained using bibliometric and network analysis tools, followed by “ Content Analysis ” section, which presents the content analysis of the selected literature. “ Discussion of the findings ” section discusses the results and explains the study’s conclusion, followed by limitations and scope for further research.

Data and research methods

A literature review is a systematic, reproducible, and explicit way of identifying, evaluating, and synthesizing relevant research produced and published by researchers [ 50 , 100 ]. Analyzing existing literature helps researchers generate new themes and ideas to justify the contribution made to literature. The knowledge obtained through evidence-based research also improves decision-making leading to better practical implementation in the real corporate world [ 100 , 129 ].

As Kumar et al. [ 77 , 78 ] and Rowley and Slack [ 111 ] recommended conducting an SLR, this study also employs a three-step approach to understand the publication pattern in the banking area and establish a link between bank performance, regulation, and risk.

Determining the appropriate keywords for exploring the data

Many databases such as Google Scholar, Web of Science, and Scopus are available to extract the relevant data. The quality of a publication is associated with listing a journal in a database. Scopus is a quality database as it has a wider coverage of data [ 100 , 137 ]. Hence, this study uses the Scopus database to extract the relevant data.

For conducting an SLR, there is a need to determine the most appropriate keywords to be used in the database search engine [ 26 ]. Since this study seeks to explore a link between regulation, performance, and risk management of banks, the keywords used were “risk,” “regulation,” “profitability,” “bank,” and “banking.”

Initial search results and limiting criteria

Using the keywords identified in step 1, the search for relevant literature was conducted in December 2020 in the Scopus database. This resulted in the search of 4525 documents from inception till December 2020. Further, we limited our search to include “article” publications only and included subject areas: “Economics, Econometrics and Finance,” “Business, Management and Accounting,” and “Social sciences” only. This resulted in a final search result of 3457 articles. These results were stored in a.csv file which is then used as an input to conduct the SLR.

Data analysis tools and techniques

This study uses bibliometric and network analysis tools to understand the publication pattern in the area of research [ 13 , 48 , 100 , 122 , 129 , 134 ]. Some sub-analyses of network analysis are keyword word, author, citation, and page rank analysis. Author analysis explains the author’s contribution to literature or research collaboration, national and international [ 59 , 99 ]. Citation analysis focuses on many researchers’ most cited research articles [ 100 , 102 , 131 ].

The.csv file consists of all bibliometric data for 3457 articles. Gephi and other scientometrics tools, such as Table2net and ScienceScape software, were used for the network analysis. This.csv file is directly used as an input for this software to obtain network diagrams for better data visualization [ 77 ]. To ensure the study’s quality, the articles with 50 or more citations (216 in number) are selected for content analysis [ 53 , 102 ]. The contents of these 216 articles are analyzed to develop a conceptual model of banks’ triad of risk, regulation, and profitability. Figure  2 explains the data retrieval process for SLR.

Data retrieval process for SLR. Note Stepwise SLR process and corresponding results obtained

Bibliometric and network analysis

Figure  3 [ 58 ] depicts the total number of studies that have been published on “risk,” “regulation,” “profitability,” “bank,” and “banking.” Figure  3 also depicts the pattern of the quality of the publications from the beginning till 2020. It undoubtedly shows an increasing trend in the number of articles published in the area of the triad: “risk” regulation” and “profitability.” Moreover, out of the 3457 articles published in the said area, 2098 were published recently in the last five years and contribute to 61% of total publications in this area.

Articles published from 1976 till 2020 . Note The graph shows the number of documents published from 1976 till 2020 obtained from the Scopus database

Source of publications

A total of 160 journals have contributed to the publication of 3457 articles extracted from Scopus on the triad of risk, regulation, and profitability. Table 1 shows the top 10 sources of the publications based on the citation measure. Table 1 considers two sets of data. One data set is the universe of 3457 articles, and another is the set of 216 articles used for content analysis along with their corresponding citations. The global citations are considered for the study from the Scopus dataset, and the local citations are considered for the articles in the nodes [ 53 , 135 ]. The top 10 journals with 50 or more citations resulted in 96 articles. This is almost 45% of the literature used for content analysis ( n  = 216). Table 1 also shows that the Journal of Banking and Finance is the most prominent in terms of the number of publications and citations. It has 46 articles published, which is about 21% of the literature used for content analysis. Table 1 also shows these core journals’ SCImago Journal Rank indicator and H index. SCImago Journal Rank indicator reflects the impact and prestige of the Journal. This indicator is calculated as the previous three years’ weighted average of the number of citations in the Journal since the year that the article was published. The h index is the number of articles (h) published in a journal and received at least h. The number explains the scientific impact and the scientific productivity of the Journal. Table 1 also explains the time span of the journals covering articles in the area of the triad of risk, regulation, and profitability [ 7 ].

Figure  4 depicts the network analysis, where the connections between the authors and source title (journals) are made. The network has 674 nodes and 911 edges. The network between the author and Journal is classified into 36 modularities. Sections of the graph with dense connections indicate high modularity. A modularity algorithm is a design that measures how strong the divided networks are grouped into modules; this means how well the nodes are connected through a denser route relative to other networks.

Network analysis between authors and journals. Note A node size explains the more linked authors to a journal

The size of the nodes is based on the rank of the degree. The degree explains the number of connections or edges linked to a node. In the current graph, a node represents the name of the Journal and authors; they are connected through the edges. Therefore, the more the authors are associated with the Journal, the higher the degree. The algorithm used for the layout is Yifan Hu’s.

Many authors are associated with the Journal of Banking and Finance, Journal of Accounting and Economics, Journal of Financial Economics, Journal of Financial Services Research, and Journal of Business Ethics. Therefore, they are the most relevant journals on banks’ risk, regulation, and profitability.

Location and affiliation analysis

Affiliation analysis helps to identify the top contributing countries and universities. Figure  5 shows the countries across the globe where articles have been published in the triad. The size of the circle in the map indicates the number of articles published in that country. Table 2 provides the details of the top contributing organizations.

Location of articles published on Triad of profitability, regulation, and risk

Figure  5 shows that the most significant number of articles is published in the USA, followed by the UK. Malaysia and China have also contributed many articles in this area. Table 2 shows that the top contributing universities are also from Malaysia, the UK, and the USA.

Key author analysis

Table 3 shows the number of articles written by the authors out of the 3457 articles. The table also shows the top 10 authors of bank risk, regulation, and profitability.

Fadzlan Sufian, affiliated with the Universiti Islam Malaysia, has the maximum number, with 33 articles. Philip Molyneux and M. Kabir Hassan are from the University of Sharjah and the University of New Orleans, respectively; they contributed significantly, with 20 and 18 articles, respectively.

However, when the quality of the article is selected based on 50 or more citations, Fadzlan Sufian has only 3 articles with more than 50 citations. At the same time, Philip Molyneux and Allen Berger contributed more quality articles, with 8 and 11 articles, respectively.

Keyword analysis

Table 4 shows the keyword analysis (times they appeared in the articles). The top 10 keywords are listed in Table 4 . Banking and banks appeared 324 and 194 times, respectively, which forms the scope of this study, covering articles from the beginning till 2020. The keyword analysis helps to determine the factors affecting banks, such as profitability (244), efficiency (129), performance (107, corporate governance (153), risk (90), and regulation (89).

The keywords also show that efficiency through data envelopment analysis is a determinant of the performance of banks. The other significant determinants that appeared as keywords are credit risk (73), competition (70), financial stability (69), ownership structure (57), capital (56), corporate social responsibility (56), liquidity (46), diversification (45), sustainability (44), credit provision (41), economic growth (41), capital structure (39), microfinance (39), Basel III (37), non-performing assets (37), cost efficiency (30), lending behavior (30), interest rate (29), mergers and acquisition (28), capital adequacy (26), developing countries (23), net interest margin (23), board of directors (21), disclosure (21), leverage (21), productivity (20), innovation (18), firm size (16), and firm value (16).

Keyword analysis also shows the theories of banking and their determinants. Some of the theories are agency theory (23), information asymmetry (21), moral hazard (17), and market efficiency (16), which can be used by researchers when building a theory. The analysis also helps to determine the methodology that was used in the published articles; some of them are data envelopment analysis (89), which measures technical efficiency, panel data analysis (61), DEA (32), Z scores (27), regression analysis (23), stochastic frontier analysis (20), event study (15), and literature review (15). The count for literature review is only 15, which confirms that very few studies have conducted an SLR on bank risk, regulation, and profitability.

Citation analysis

One of the parameters used in judging the quality of the article is its “citation.” Table 5 shows the top 10 published articles with the highest number of citations. Ding and Cronin [ 44 ] indicated that the popularity of an article depends on the number of times it has been cited.

Tahamtan et al. [ 126 ] explained that the journal’s quality also affects its published articles’ citations. A quality journal will have a high impact factor and, therefore, more citations. The citation analysis helps researchers to identify seminal articles. The title of an article with 5900 citations is “A survey of corporate governance.”

Page Rank analysis

Goyal and Kumar [ 53 ] explain that the citation analysis indicates the ‘popularity’ and ‘prestige’ of the published research article. Apart from the citation analysis, one more analysis is essential: Page rank analysis. PageRank is given by Page et al. [ 97 ]. The impact of an article can be measured with one indicator called PageRank [ 135 ]. Page rank analysis indicates how many times an article is cited by other highly cited articles. The method helps analyze the web pages, which get the priority during any search done on google. The analysis helps in understanding the citation networks. Equation  1 explains the page rank (PR) of a published paper, N refers to the number of articles.

T 1,… T n indicates the paper, which refers paper P . C ( Ti ) indicates the number of citations. The damping factor is denoted by a “ d ” which varies in the range of 0 and 1. The page rank of all the papers is equal to 1. Table 6 shows the top papers based on page rank. Tables 5 and 6 together show a contrast in the top ranked articles based on citations and page rank, respectively. Only one article “A survey of corporate governance” falls under the prestigious articles based on the page rank.

Content analysis

Content Analysis is a research technique for conducting qualitative and quantitative analyses [ 124 ]. The content analysis is a helpful technique that provides the required information in classifying the articles depending on their nature (empirical or conceptual) [ 76 ]. By adopting the content analysis method [ 53 , 102 ], the selected articles are examined to determine their content. The classification of available content from the selected set of sample articles that are categorized under different subheads. The themes identified in the relationship between banking regulation, risk, and profitability are as follows.

Regulation and profitability of banks

The performance indicators of the banking industry have always been a topic of interest to researchers and practitioners. This area of research has assumed a special interest after the 2008 WFC [ 25 , 51 , 86 , 114 , 127 , 132 ]. According to research, the causes of poor performance and risk management are lousy banking practices, ineffective monitoring, inadequate supervision, and weak regulatory mechanisms [ 94 ]. Increased competition, deregulation, and complex financial instruments have made banks, including Indian banks, more vulnerable to risks [ 18 , 93 , 119 , 123 ]. Hence, it is essential to investigate the present regulatory machinery for the performance of banks.

There are two schools of thought on regulation and its possible impact on profitability. The first asserts that regulation does not affect profitability. The second asserts that regulation adds significant value to banks’ profitability and other performance indicators. This supports the concept that Delis et al. [ 41 ] advocated that the capital adequacy requirement and supervisory power do not affect productivity or profitability unless there is a financial crisis. Laeven and Majnoni [ 81 ] insisted that provision for loan loss should be part of capital requirements. This will significantly improve active risk management practices and ensure banks’ profitability.

Lee and Hsieh [ 83 ] proposed ambiguous findings that do not support either school of thought. According to Nguyen and Nghiem [ 95 ], while regulation is beneficial, it has a negative impact on bank profitability. As a result, when proposing regulations, it is critical to consider bank performance and risk management. According to Erfani and Vasigh [ 46 ], Islamic banks maintained their efficiency between 2006 and 2013, while most commercial banks lost, furthermore claimed that the financial crisis had no significant impact on Islamic bank profitability.

Regulation and NPA (risk-taking of banks)

The regulatory mechanism of banks in any country must address the following issues: capital adequacy ratio, prudent provisioning, concentration banking, the ownership structure of banks, market discipline, regulatory devices, presence of foreign capital, bank competition, official supervisory power, independence of supervisory bodies, private monitoring, and NPAs [ 25 ].

Kanoujiya et al. [ 64 ] revealed through empirical evidence that Indian bank regulations lack a proper understanding of what banks require and propose reforming and transforming regulation in Indian banks so that responsive governance and regulation can occur to make banks safer, supported by Rastogi et al. [ 105 ]. The positive impact of regulation on NPAs is widely discussed in the literature. [ 94 ] argue that regulation has multiple effects on banks, including reducing NPAs. The influence is more powerful if the country’s banking system is fragile. Regulation, particularly capital regulation, is extremely effective in reducing risk-taking in banks [ 103 ].

Rastogi and Kanoujiya [ 106 ] discovered evidence that disclosure regulations do not affect the profitability of Indian banks, supported by Karyani et al. [ 65 ] for the banks located in Asia. Furthermore, Rastogi and Kanoujiya [ 106 ] explain that disclosure is a difficult task as a regulatory requirement. It is less sustainable due to the nature of the imposed regulations in banks and may thus be perceived as a burden and may be overcome by realizing the benefits associated with disclosure regulation [ 31 , 54 , 101 ]. Zheng et al. [ 138 ] empirically discovered that regulation has no impact on the banks’ profitability in Bangladesh.

Governments enforce banking regulations to achieve a stable and efficient financial system [ 20 , 94 ]. The existing literature is inconclusive on the effects of regulatory compliance on banks’ risks or the reduction of NPAs [ 10 , 11 ]. Boudriga et al. [ 25 ] concluded that the regulatory mechanism plays an insignificant role in reducing NPAs. This is especially true in weak institutions, which are susceptible to corruption. Gonzalez [ 52 ] reported that firm regulations have a positive relationship with banks’ risk-taking, increasing the probability of NPAs. However, Boudriga et al. [ 25 ], Samitas and Polyzos [ 113 ], and Allen et al. [ 3 ] strongly oppose the use of regulation as a tool to reduce banks’ risk-taking.

Kwan and Laderman [ 79 ] proposed three levels in regulating banks, which are lax, liberal, and strict. The liberal regulatory framework leads to more diversification in banks. By contrast, the strict regulatory framework forces the banks to take inappropriate risks to compensate for the loss of business; this is a global problem [ 73 ].

Capital regulation reduces banks’ risk-taking [ 103 , 110 ]. Capital regulation leads to cost escalation, but the benefits outweigh the cost [ 103 ]. The trade-off is worth striking. Altman Z score is used to predict banks’ bankruptcy, and it found that the regulation increased the Altman’s Z-score [ 4 , 46 , 63 , 68 , 72 , 120 ]. Jin et al. [ 62 ] report a negative relationship between regulation and banks’ risk-taking. Capital requirements empowered regulators, and competition significantly reduced banks’ risk-taking [ 1 , 122 ]. Capital regulation has a limited impact on banks’ risk-taking [ 90 , 103 ].

Maji and De [ 90 ] suggested that human capital is more effective in managing banks’ credit risks. Besanko and Kanatas [ 21 ] highlighted that regulation on capital requirements might not mitigate risks in all scenarios, especially when recapitalization has been enforced. Klomp and De Haan [ 72 ] proposed that capital requirements and supervision substantially reduce banks’ risks.

A third-party audit may impart more legitimacy to the banking system [ 23 ]. The absence of third-party intervention is conspicuous, and this may raise a doubt about the reliability and effectiveness of the impact of regulation on bank’s risk-taking.

NPA (risk-taking) in banks and profitability

Profitability affects NPAs, and NPAs, in turn, affect profitability. According to the bad management hypothesis [ 17 ], higher profits would negatively affect NPAs. By contrast, higher profits may lead management to resort to a liberal credit policy (high earnings), which may eventually lead to higher NPAs [ 104 ].

Balasubramaniam [ 8 ] demonstrated that NPA has double negative effects on banks. NPAs increase stressed assets, reducing banks’ productive assets [ 92 , 117 , 136 ]. This phenomenon is relatively underexplored and therefore renders itself for future research.

Triad and the performance of banks

Regulation and triad.

Regulations and their impact on banks have been a matter of debate for a long time. Barth et al. [ 12 ] demonstrated that countries with a central bank as the sole regulatory body are prone to high NPAs. Although countries with multiple regulatory bodies have high liquidity risks, they have low capital requirements [ 40 ]. Barth et al. [ 12 ] supported the following steps to rationalize the existing regulatory mechanism on banks: (1) mandatory information [ 22 ], (2) empowered management of banks, and (3) increased incentive for private agents to exert corporate control. They show that profitability has an inverse relationship with banks’ risk-taking [ 114 ]. Therefore, standard regulatory practices, such as capital requirements, are not beneficial. However, small domestic banks benefit from capital restrictions.

DeYoung and Jang [ 43 ] showed that Basel III-based policies of liquidity convergence ratio (LCR) and net stable funding ratio (NSFR) are not fully executed across the globe, including the US. Dahir et al. [ 39 ] found that a decrease in liquidity and funding increases banks’ risk-taking, making banks vulnerable and reducing stability. Therefore, any regulation on liquidity risk is more likely to create problems for banks.

Concentration banking and triad

Kiran and Jones [ 71 ] asserted that large banks are marginally affected by NPAs, whereas small banks are significantly affected by high NPAs. They added a new dimension to NPAs and their impact on profitability: concentration banking or banks’ market power. Market power leads to less cost and more profitability, which can easily counter the adverse impact of NPAs on profitability [ 6 , 15 ].

The connection between the huge volume of research on the performance of banks and competition is the underlying concept of market power. Competition reduces market power, whereas concentration banking increases market power [ 25 ]. Concentration banking reduces competition, increases market power, rationalizes the banks’ risk-taking, and ensures profitability.

Tabak et al. [ 125 ] advocated that market power incentivizes banks to become risk-averse, leading to lower costs and high profits. They explained that an increase in market power reduces the risk-taking requirement of banks. Reducing banks’ risks due to market power significantly increases when capital regulation is executed objectively. Ariss [ 6 ] suggested that increased market power decreases competition, and thus, NPAs reduce, leading to increased banks’ stability.

Competition, the performance of banks, and triad

Boyd and De Nicolo [ 27 ] supported that competition and concentration banking are inversely related, whereas competition increases risk, and concentration banking decreases risk. A mere shift toward concentration banking can lead to risk rationalization. This finding has significant policy implications. Risk reduction can also be achieved through stringent regulations. Bolt and Tieman [ 24 ] explained that stringent regulation coupled with intense competition does more harm than good, especially concerning banks’ risk-taking.

Market deregulation, as well as intensifying competition, would reduce the market power of large banks. Thus, the entire banking system might take inappropriate and irrational risks [ 112 ]. Maji and Hazarika [ 91 ] added more confusion to the existing policy by proposing that, often, there is no relationship between capital regulation and banks’ risk-taking. However, some cases have reported a positive relationship. This implies that banks’ risk-taking is neutral to regulation or leads to increased risk. Furthermore, Maji and Hazarika [ 91 ] revealed that competition reduces banks’ risk-taking, contrary to popular belief.

Claessens and Laeven [ 36 ] posited that concentration banking influences competition. However, this competition exists only within the restricted circle of banks, which are part of concentration banking. Kasman and Kasman [ 66 ] found that low concentration banking increases banks’ stability. However, they were silent on the impact of low concentration banking on banks’ risk-taking. Baselga-Pascual et al. [ 14 ] endorsed the earlier findings that concentration banking reduces banks’ risk-taking.

Concentration banking and competition are inversely related because of the inherent design of concentration banking. Market power increases when only a few large banks are operating; thus, reduced competition is an obvious outcome. Barra and Zotti [ 9 ] supported the idea that market power, coupled with competition between the given players, injects financial stability into banks. Market power and concentration banking affect each other. Therefore, concentration banking with a moderate level of regulation, instead of indiscriminate regulation, would serve the purpose better. Baselga-Pascual et al. [ 14 ] also showed that concentration banking addresses banks’ risk-taking.

Schaeck et al. [ 115 ], in a landmark study, presented that concentration banking and competition reduce banks’ risk-taking. However, they did not address the relationship between concentration banking and competition, which are usually inversely related. This could be a subject for future research. Research on the relationship between concentration banking and competition is scant, identified as a research gap (“ Research Implications of the study ” section).

Transparency, corporate governance, and triad

One of the big problems with NPAs is the lack of transparency in both the regulatory bodies and banks [ 25 ]. Boudriga et al. [ 25 ] preferred to view NPAs as a governance issue and thus, recommended viewing it from a governance perspective. Ahmad and Ariff [ 2 ] concluded that regulatory capital and top-management quality determine banks’ credit risk. Furthermore, they asserted that credit risk in emerging economies is higher than that of developed economies.

Bad management practices and moral vulnerabilities are the key determinants of insolvency risks of Indian banks [ 95 ]. Banks are an integral part of the economy and engines of social growth. Therefore, banks enjoy liberal insolvency protection in India, especially public sector banks, which is a critical issue. Such a benevolent insolvency cover encourages a bank to be indifferent to its capital requirements. This indifference takes its toll on insolvency risk and profit efficiency. Insolvency protection makes the bank operationally inefficient and complacent.

Foreign equity and corporate governance practices help manage the adverse impact of banks’ risk-taking to ensure the profitability and stability of banks [ 33 , 34 ]. Eastburn and Sharland [ 45 ] advocated that sound management and a risk management system that can anticipate any impending risk are essential. A pragmatic risk mechanism should replace the existing conceptual risk management system.

Lo [ 87 ] found and advocated that the existing legislation and regulations are outdated. He insisted on a new perspective and asserted that giving equal importance to behavioral aspects and the rational expectations of customers of banks is vital. Buston [ 29 ] critiqued the balance sheet risk management practices prevailing globally. He proposed active risk management practices that provided risk protection measures to contain banks’ liquidity and solvency risks.

Klomp and De Haan [ 72 ] championed the cause of giving more autonomy to central banks of countries to provide stability in the banking system. Louzis et al. [ 88 ] showed that macroeconomic variables and the quality of bank management determine banks’ level of NPAs. Regulatory authorities are striving hard to make regulatory frameworks more structured and stringent. However, the recent increase in loan defaults (NPAs), scams, frauds, and cyber-attacks raise concerns about the effectiveness [ 19 ] of the existing banking regulations in India as well as globally.

Discussion of the findings

The findings of this study are based on the bibliometric and content analysis of the sample published articles.

The bibliometric study concludes that there is a growing demand for researchers and good quality research

The keyword analysis suggests that risk regulation, competition, profitability, and performance are key elements in understanding the banking system. The main authors, keywords, and journals are grouped in a Sankey diagram in Fig.  6 . Researchers can use the following information to understand the publication pattern on banking and its determinants.

Sankey Diagram of main authors, keywords, and journals. Note Authors contribution using scientometrics tools

Research Implications of the study

The study also concludes that a balance among the three components of triad is the solution to the challenges of banks worldwide, including India. We propose the following recommendations and implications for banks:

This study found that “the lesser the better,” that is, less regulation enhances the performance and risk management of banks. However, less regulation does not imply the absence of regulation. Less regulation means the following:

Flexible but full enforcement of the regulations

Customization, instead of a one-size-fits-all regulatory system rooted in a nation’s indigenous requirements, is needed. Basel or generic regulation can never achieve what a customized compliance system can.

A third-party audit, which is above the country's central bank, should be mandatory, and this would ensure that all three aspects of audit (policy formulation, execution, and audit) are handled by different entities.

Competition

This study asserts that the existing literature is replete with poor performance and risk management due to excessive competition. Banking is an industry of a different genre, and it would be unfair to compare it with the fast-moving consumer goods (FMCG) or telecommunication industry, where competition injects efficiency into the system, leading to customer empowerment and satisfaction. By contrast, competition is a deterrent to the basic tenets of safe banking. Concentration banking is more effective in handling the multi-pronged balance between the elements of the triad. Concentration banking reduces competition to lower and manageable levels, reduces banks’ risk-taking, and enhances profitability.

No incentive to take risks

It is found that unless banks’ risk-taking is discouraged, the problem of high NPA (risk-taking) cannot be addressed. Concentration banking is a disincentive to risk-taking and can be a game-changer in handling banks’ performance and risk management.

Research on the risk and performance of banks reveals that the existing regulatory and policy arrangement is not a sustainable proposition, especially for a country where half of the people are unbanked [ 37 ]. Further, the triad presented by Keeley [ 67 ] is a formidable real challenge to bankers. The balance among profitability, risk-taking, and regulation is very subtle and becomes harder to strike, just as the banks globally have tried hard to achieve it. A pragmatic intervention is needed; hence, this study proposes a change in the banking structure by having two types of banks functioning simultaneously to solve the problems of risk and performance of banks. The proposed two-tier banking system explained in Fig.  7 can be a great solution. This arrangement will help achieve the much-needed balance among the elements of triad as presented by Keeley [ 67 ].

Conceptual Framework. Note Fig.  7 describes the conceptual framework of the study

The first set of banks could be conventional in terms of their structure and should primarily be large-sized. The number of such banks should be moderate. There is a logic in having only a few such banks to restrict competition; thus, reasonable market power could be assigned to them [ 55 ]. However, a reduction in competition cannot be over-assumed, and banks cannot become complacent. As customary, lending would be the main source of revenue and income for these banks (fund based activities) [ 82 ]. The proposed two-tier system can be successful only when regulation especially for risk is objectively executed [ 29 ]. The second set of banks could be smaller in size and more in number. Since they are more in number, they would encounter intense competition for survival and for generating more business. Small is beautiful, and thus, this set of banks would be more agile and adaptable and consequently more efficient and profitable. The main source of revenue for this set of banks would not be loans and advances. However, non-funding and non-interest-bearing activities would be the major revenue source. Unlike their traditional and large-sized counterparts, since these banks are smaller in size, they are less likely to face risk-taking and NPAs [ 74 ].

Sarmiento and Galán [ 114 ] presented the concerns of large and small banks and their relative ability and appetite for risk-taking. High risk could threaten the existence of small-sized banks; thus, they need robust risk shielding. Small size makes them prone to failure, and they cannot convert their risk into profitability. However, large banks benefit from their size and are thus less vulnerable and can convert risk into profitable opportunities.

India has experimented with this Differential Banking System (DBS) (two-tier system) only at the policy planning level. The execution is impending, and it highly depends on the political will, which does not appear to be strong now. The current agenda behind the DBS model is not to ensure the long-term sustainability of banks. However, it is currently being directed to support the agenda of financial inclusion by extending the formal credit system to the unbanked masses [ 107 ]. A shift in goal is needed to employ the DBS as a strategic decision, but not merely a tool for financial inclusion. Thus, the proposed two-tier banking system (DBS) can solve the issue of profitability through proper regulation and less risk-taking.

The findings of Triki et al. [ 130 ] support the proposed DBS model, in this study. Triki et al. [ 130 ] advocated that different component of regulations affect banks based on their size, risk-taking, and concentration banking (or market power). Large size, more concentration banking with high market power, and high risk-taking coupled with stringent regulation make the most efficient banks in African countries. Sharifi et al. [ 119 ] confirmed that size advantage offers better risk management to large banks than small banks. The banks should modify and work according to the economic environment in the country [ 69 ], and therefore, the proposed model could help in solving the current economic problems.

This is a fact that DBS is running across the world, including in India [ 60 ] and other countries [ 133 ]. India experimented with DBS in the form of not only regional rural banks (RRBs) but payments banks [ 109 ] and small finance banks as well [ 61 ]. However, the purpose of all the existing DBS models, whether RRBs [ 60 ], payment banks, or small finance banks, is financial inclusion, not bank performance and risk management. Hence, they are unable to sustain and are failing because their model is only social instead of a much-needed dual business-cum-social model. The two-tier model of DBS proposed in the current paper can help serve the dual purpose. It may not only be able to ensure bank performance and risk management but also serve the purpose of inclusive growth of the economy.

Conclusion of the study

The study’s conclusions have some significant ramifications. This study can assist researchers in determining their study plan on the current topic by using a scientific approach. Citation analysis has aided in the objective identification of essential papers and scholars. More collaboration between authors from various countries/universities may help countries/universities better understand risk regulation, competition, profitability, and performance, which are critical elements in understanding the banking system. The regulatory mechanism in place prior to 2008 failed to address the risk associated with banks [ 47 , 87 ]. There arises a necessity and motivates authors to investigate the current topic. The present study systematically explores the existing literature on banks’ triad: performance, regulation, and risk management and proposes a probable solution.

To conclude the bibliometric results obtained from the current study, from the number of articles published from 1976 to 2020, it is evident that most of the articles were published from the year 2010, and the highest number of articles were published in the last five years, i.e., is from 2015. The authors discovered that researchers evaluate articles based on the scope of critical journals within the subject area based on the detailed review. Most risk, regulation, and profitability articles are published in peer-reviewed journals like; “Journal of Banking and Finance,” “Journal of Accounting and Economics,” and “Journal of Financial Economics.” The rest of the journals are presented in Table 1 . From the affiliation statistics, it is clear that most of the research conducted was affiliated with developed countries such as Malaysia, the USA, and the UK. The researchers perform content analysis and Citation analysis to access the type of content where the research on the current field of knowledge is focused, and citation analysis helps the academicians understand the highest cited articles that have more impact in the current research area.

Practical implications of the study

The current study is unique in that it is the first to systematically evaluate the publication pattern in banking using a combination of scientometrics analysis tools, network analysis tools, and content analysis to understand the relationship between bank regulation, performance, and risk. The study’s practical implications are that analyzing existing literature helps researchers generate new themes and ideas to justify their contribution to literature. Evidence-based research knowledge also improves decision-making, resulting in better practical implementation in the real corporate world [ 100 , 129 ].

Limitations and scope for future research

The current study only considers a single database Scopus to conduct the study, and this is one of the limitations of the study spanning around the multiple databases can provide diverse results. The proposed DBS model is a conceptual framework that requires empirical testing, which is a limitation of this study. As a result, empirical testing of the proposed DBS model could be a future research topic.

Availability of data and materials

SCOPUS database.

Abbreviations

Systematic literature review

World Financial Crisis

Non-performing assets

Differential banking system

SCImago Journal Rank Indicator

Liquidity convergence ratio

Net stable funding ratio

Fast moving consumer goods

Regional rural banks

Agoraki M-EK, Delis MD, Pasiouras F (2011) Regulations, competition and bank risk-taking in transition countries. J Financ Stab 7(1):38–48

Google Scholar  

Ahmad NH, Ariff M (2007) Multi-country study of bank credit risk determinants. Int J Bank Financ 5(1):35–62

Allen B, Chan KK, Milne A, Thomas S (2012) Basel III: Is the cure worse than the disease? Int Rev Financ Anal 25:159–166

Altman EI (2018) A fifty-year retrospective on credit risk models, the Altman Z-score family of models, and their applications to financial markets and managerial strategies. J Credit Risk 14(4):1–34

Alvarez F, Jermann UJ (2000) Efficiency, equilibrium, and asset pricing with risk of default. Econometrica 68(4):775–797

Ariss RT (2010) On the implications of market power in banking: evidence from developing countries. J Bank Financ 34(4):765–775

Aznar-Sánchez JA, Piquer-Rodríguez M, Velasco-Muñoz JF, Manzano-Agugliaro F (2019) Worldwide research trends on sustainable land use in agriculture. Land Use Policy 87:104069

Balasubramaniam C (2012) Non-performing assets and profitability of commercial banks in India: assessment and emerging issues. Nat Mon Refereed J Res Commer Manag 1(1):41–52

Barra C, Zotti R (2017) On the relationship between bank market concentration and stability of financial institutions: evidence from the Italian banking sector, MPRA working Paper No 79900. Last Accessed on Jan 2021 https://mpra.ub.uni-muenchen.de/79900/1/MPRA_paper_79900.pdf

Barth JR, Caprio G, Levine R (2004) Bank regulation and supervision: what works best? J Financ Intermed 2(13):205–248

Barth JR, Caprio G, Levine R (2008) Bank regulations are changing: For better or worse? Comp Econ Stud 50(4):537–563

Barth JR, Dopico LG, Nolle DE, Wilcox JA (2002) Bank safety and soundness and the structure of bank supervision: a cross-country analysis. Int Rev Financ 3(3–4):163–188

Bartolini M, Bottani E, Grosse EH (2019) Green warehousing: systematic literature review and bibliometric analysis. J Clean Prod 226:242–258

Baselga-Pascual L, Trujillo-Ponce A, Cardone-Riportella C (2015) Factors influencing bank risk in Europe: evidence from the financial crisis. N Am J Econ Financ 34(1):138–166

Beck T, Demirgüç-Kunt A, Levine R (2006) Bank concentration, competition, and crises: first results. J Bank Financ 30(5):1581–1603

Berger AN, Demsetz RS, Strahan PE (1999) The consolidation of the financial services industry: causes, consequences, and implications for the future. J Bank Financ 23(2–4):135–194

Berger AN, Deyoung R (1997) Problem loans and cost efficiency in commercial banks. J Bank Financ 21(6):849–870

Berger AN, Udell GF (1998) The economics of small business finance: the roles of private equity and debt markets in the financial growth cycle. J Bank Financ 22(6–8):613–673

Berger AN, Udell GF (2002) Small business credit availability and relationship lending: the importance of bank organisational structure. Econ J 112(477):F32–F53

Berger AN, Udell GF (2006) A more complete conceptual framework for SME finance. J Bank Financ 30(11):2945–2966

Besanko D, Kanatas G (1996) The regulation of bank capital: Do capital standards promote bank safety? J Financ Intermed 5(2):160–183

Beyer A, Cohen DA, Lys TZ, Walther BR (2010) The financial reporting environment: review of the recent literature. J Acc Econ 50(2–3):296–343

Bikker JA (2010) Measuring performance of banks: an assessment. J Appl Bus Econ 11(4):141–159

Bolt W, Tieman AF (2004) Banking competition, risk and regulation. Scand J Econ 106(4):783–804

Boudriga A, BoulilaTaktak N, Jellouli S (2009) Banking supervision and non-performing loans: a cross-country analysis. J Financ Econ Policy 1(4):286–318

Bouzon M, Miguel PAC, Rodriguez CMT (2014) Managing end of life products: a review of the literature on reverse logistics in Brazil. Manag Environ Qual Int J 25(5):564–584. https://doi.org/10.1108/MEQ-04-2013-0027

Article   Google Scholar  

Boyd JH, De Nicolo G (2005) The theory of bank risk taking and competition revisited. J Financ 60(3):1329–1343

Brealey RA, Myers SC, Allen F, Mohanty P (2012) Principles of corporate finance. Tata McGraw-Hill Education

Buston CS (2016) Active risk management and banking stability. J Bank Financ 72:S203–S215

Casu B, Girardone C (2006) Bank competition, concentration and efficiency in the single European market. Manch Sch 74(4):441–468

Charumathi B, Ramesh L (2020) Impact of voluntary disclosure on valuation of firms: evidence from Indian companies. Vision 24(2):194–203

Chen X (2007) Banking deregulation and credit risk: evidence from the EU. J Financ Stab 2(4):356–390

Chen H-J, Lin K-T (2016) How do banks make the trade-offs among risks? The role of corporate governance. J Bank Financ 72(1):S39–S69

Chen M, Wu J, Jeon BN, Wang R (2017) Do foreign banks take more risk? Evidence from emerging economies. J Bank Financ 82(1):20–39

Claessens S, Laeven L (2003) Financial development, property rights, and growth. J Financ 58(6):2401–2436. https://doi.org/10.1046/j.1540-6261.2003.00610.x

Claessens S, Laeven L (2004) What drives bank competition? Some international evidence. J Money Credit Bank 36(3):563–583

Cnaan RA, Moodithaya M, Handy F (2012) Financial inclusion: lessons from rural South India. J Soc Policy 41(1):183–205

Core JE, Holthausen RW, Larcker DF (1999) Corporate governance, chief executive officer compensation, and firm performance. J Financ Econ 51(3):371–406

Dahir AM, Mahat FB, Ali NAB (2018) Funding liquidity risk and bank risk-taking in BRICS countries: an application of system GMM approach. Int J Emerg Mark 13(1):231–248

Dechow P, Ge W, Schrand C (2010) Understanding earnings quality: a review of the proxies, their determinants, and their consequences. J Acc Econ 50(2–3):344–401

Delis MD, Molyneux P, Pasiouras F (2011) Regulations and productivity growth in banking: evidence from transition economies. J Money Credit Bank 43(4):735–764

Demirguc-Kunt A, Laeven L, Levine R (2003) Regulations, market structure, institutions, and the cost of financial intermediation (No. w9890). National Bureau of Economic Research.

Deyoung R, Jang KY (2016) Do banks actively manage their liquidity? J Bank Financ 66:143–161

Ding Y, Cronin B (2011) Popularand/orprestigious? Measures of scholarly esteem. Inf Process Manag 47(1):80–96

Eastburn RW, Sharland A (2017) Risk management and managerial mindset. J Risk Financ 18(1):21–47

Erfani GR, Vasigh B (2018) The impact of the global financial crisis on profitability of the banking industry: a comparative analysis. Economies 6(4):66

Erkens DH, Hung M, Matos P (2012) Corporate governance in the 2007–2008 financial crisis: evidence from financial institutions worldwide. J Corp Finan 18(2):389–411

Fahimnia B, Sarkis J, Davarzani H (2015) Green supply chain management: a review and bibliometric analysis. Int J Prod Econ 162:101–114

Financial Stability Report (2019) Financial stability report (20), December 2019. https://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=946 Accesses on March 2020

Fink A (2005) Conducting Research Literature Reviews:From the Internet to Paper, 2nd edn. SAGE Publications

Ghosh A (2015) Banking-industry specific and regional economic determinants of non-performing loans: evidence from US states. J Financ Stab 20:93–104. https://doi.org/10.1016/j.jfs.2015.08.004

Gonzalez F (2005) Bank regulation and risk-taking incentives: an international comparison of bank risk. J Bank Financ 29(5):1153–1184

Goyal K, Kumar S (2021) Financial literacy: a systematic review and bibliometric analysis. Int J Consum Stud 45(1):80–105

Grassa R, Moumen N, Hussainey K (2020) Do ownership structures affect risk disclosure in Islamic banks? International evidence. J Financ Rep Acc 19(3):369–391

Haque F, Shahid R (2016) Ownership, risk-taking and performance of banks in emerging economies: evidence from India. J Financ Econ Policy 8(3):282–297

Hellmann TF, Murdock KC, Stiglitz JE (2000) Liberalization, moral hazard in banking, and prudential regulation: Are capital requirements enough? Am Econ Rev 90(1):147–165

Hirshleifer D (2001) Investor psychology and asset pricing. J Financ 56(4):1533–1597

Huang J, You JX, Liu HC, Song MS (2020) Failure mode and effect analysis improvement: a systematic literature review and future research agenda. Reliab Eng Syst Saf 199:106885

Ibáñez Zapata A (2017) Bibliometric analysis of the regulatory compliance function within the banking sector (Doctoral dissertation). Last Accessed on Jan 2021 https://riunet.upv.es/bitstream/handle/10251/85952/Bibliometric%20analysis_AIZ_v4.pdf?sequence=1

Ibrahim MS (2010) Performance evaluation of regional rural banks in India. Int Bus Res 3(4):203–211

Jayadev M, Singh H, Kumar P (2017) Small finance banks: challenges. IIMB Manag Rev 29(4):311–325

Jin JY, Kanagaretnam K, Lobo GJ, Mathieu R (2013) Impact of FDICIA internal controls on bank risk taking. J Bank Financ 37(2):614–624

Joshi MK (2020) Financial performance analysis of select Indian Public Sector Banks using Altman’s Z-Score model. SMART J Bus Manag Stud 16(2):74–87

Kanoujiya J, Bhimavarapu VM, Rastogi S (2021) Banks in India: a balancing act between profitability, regulation and NPA. Vision, 09722629211034417

Karyani E, Dewo SA, Santoso W, Frensidy B (2020) Risk governance and bank profitability in ASEAN-5: a comparative and empirical study. Int J Emerg Mark 15(5):949–969

Kasman S, Kasman A (2015) Bank competition, concentration and financial stability in the Turkish banking industry. Econ Syst 39(3):502–517

Keeley MC (1990) Deposit insurance, risk, and market power in banking. Am Econ Rev 1:1183–1200

Khaddafi M, Heikal M, Nandari A (2017) Analysis Z-score to predict bankruptcy in banks listed in indonesia stock exchange. Int J Econ Financ Issues 7(3):326–330

Khanna T, Yafeh Y (2007) Business groups in emerging markets: Paragons or parasites? J Econ Lit 45(2):331–372

King RG, Levine R (1993) Finance and growth: schumpeter might be right. Q J Econ 108(3):717–737

Kiran KP, Jones TM (2016) Effect of non performing assets on the profitability of banks–a selective study. Int J Bus Gen Manag 5(2):53–60

Klomp J, De Haan J (2015) Banking risk and regulation: Does one size fit all? J Bank Financ 36(12):3197–3212

Koehn M, Santomero AM (1980) Regulation of bank capital and portfolio risk. J Financ 35(5):1235–1244

Köhler M (2015) Which banks are more risky? The impact of business models on bank stability. J Financ Stab 16(1):195–212

Kothari SP (2001) Capital markets research in accounting. J Account Econ 31(1–3):105–231

Kumar S, Goyal N (2015) Behavioural biases in investment decision making – a systematic literature review. Qual Res Financ Mark 7(1):88–108

Kumar S, Kamble S, Roy MH (2020) Twenty-five years of Benchmarking: an International Journal (BIJ): a bibliometric overview. Benchmarking Int J 27(2):760–780. https://doi.org/10.1108/BIJ-07-2019-0314

Kumar S, Sureka R, Colombage S (2020) Capital structure of SMEs: a systematic literature review and bibliometric analysis. Manag Rev Q 70(4):535–565. https://doi.org/10.1007/s11301-019-00175-4

Kwan SH, Laderman ES (1999) On the portfolio effects of financial convergence-a review of the literature. Econ Rev 2:18–31

Lado AA, Boyd NG, Hanlon SC (1997) Competition, cooperation, and the search for economic rents: a syncretic model. Acad Manag Rev 22(1):110–141

Laeven L, Majnoni G (2003) Loan loss provisioning and economic slowdowns: Too much, too late? J Financ Intermed 12(2):178–197

Laeven L, Ratnovski L, Tong H (2016) Bank size, capital, and systemic risk: Some international evidence. J Bank Finance 69(1):S25–S34

Lee C-C, Hsieh M-F (2013) The impact of bank capital on profitability and risk in Asian banking. J Int Money Financ 32(1):251–281

Leech D, Leahy J (1991) Ownership structure, control type classifications and the performance of large British companies. Econ J 101(409):1418–1437

Levine R (1997) Financial development and economic growth: views and agenda. J Econ Lit 35(2):688–726

Lim CY, Woods M, Humphrey C, Seow JL (2017) The paradoxes of risk management in the banking sector. Br Acc Rev 49(1):75–90

Lo AW (2009) Regulatory reform in the wake of the financial crisis of 2007–2008. J Financ Econ Policy 1(1):4–43

Louzis DP, Vouldis AT, Metaxas VL (2012) Macroeconomic and bank-specific determinants of non-performing loans in Greece: a comparative study of mortgage, business and consumer loan portfolios. J Bank Financ 36(4):1012–1027

Maddaloni A, Peydró J-L (2011) Bank risk-taking, securitization, supervision, and low interest rates: evidence from the Euro-area and the U.S. lending standards. Rev Financ Stud 24(6):2121–2165. https://doi.org/10.1093/rfs/hhr015

Maji SG, De UK (2015) Regulatory capital and risk of Indian banks: a simultaneous equation approach. J Financ Econ Policy 7(2):140–156

Maji SG, Hazarika P (2018) Capital regulation, competition and risk-taking behavior of Indian banks in a simultaneous approach. Manag Financ 44(4):459–477

Messai AS, Jouini F (2013) Micro and macro determinants of non-performing loans. Int J Econ Financ Issues 3(4):852–860

Mitra S, Karathanasopoulos A, Sermpinis G, Dunis C, Hood J (2015) Operational risk: emerging markets, sectors and measurement. Eur J Oper Res 241(1):122–132

Mohsni S, Otchere I (2018) Does regulatory regime matter for bank risk-taking? A comparative analysis of US and Canada, d/Seas Working Papers-ISSN 2611-0172 1(1):28–28

Nguyen TPT, Nghiem SH (2015) The interrelationships among default risk, capital ratio and efficiency: evidence from Indian banks. Manag Financ 41(5):507–525

Niinimäki J-P (2004) The effects of competition on banks’ risk taking. J Econ 81(3):199–222

Page L, Brin S, Motwani R, Winograd T (1999) The PageRank citation ranking: bringing order to the web. Stanford InfoLab

Pakravan K (2014) Bank capital: the case against Basel. J Financ Regul Compl 22(3):208–218

Palacios-Callender M, Roberts SA, Roth-Berghofer T (2016) Evaluating patterns of national and international collaboration in Cuban science using bibliometric tools. J Doc 72(2):362–390. https://doi.org/10.1108/JD-11-2014-0164

Pinto G, Rastogi S, Kadam S, Sharma A (2019) Bibliometric study on dividend policy. Qual Res Financ Mark 12(1):72–95

Polizzi S, Scannella E (2020) An empirical investigation into market risk disclosure: Is there room to improve for Italian banks? J Financ Regul Compl 28(3):465–483

Prasad P, Narayanasamy S, Paul S, Chattopadhyay S, Saravanan P (2019) Review of literature on working capital management and future research agenda. J Econ Surv 33(3):827–861

Rahman MM, Zheng C, Ashraf BN, Rahman MM (2018) Capital requirements, the cost of financial intermediation and bank risk-taking: empirical evidence from Bangladesh. Res Int Bus Financ 44(1):488–503

Rajan RG (1994) Why bank credit policies fluctuate: a theory and some evidence. Q J Econ 109(2):399–441

Rastogi S, Gupte R, Meenakshi R (2021) A holistic perspective on bank performance using regulation, profitability, and risk-taking with a view on ownership concentration. J Risk Financ Manag 14(3):111

Rastogi S, Kanoujiya J (2022) Does transparency and disclosure (T&D) improve the performance of banks in India? Int J Product Perform Manag. https://doi.org/10.1108/IJPPM-10-2021-0613

Rastogi S, Ragabiruntha E (2018) Financial inclusion and socioeconomic development: gaps and solution. Int J Soc Econ 45(7):1122–1140

RBI (2001) Prudential Norms on income recognition, asset classification, and provisioning -pertaining to advances. Accessed on Apr 2020. https://rbidocs.rbi.org.in/rdocs/notification/PDFs/23068.pdf

Reddy S (2018) Announcement of payment banks and stock performance of commercial banks in India. J Internet Bank Commer 23(1):1–12

Repullo R (2004) Capital requirements, market power, and risk-taking in banking. J Financ Intermed 13(2):156–182

Rowley J, Slack F (2004) Conducting a literature review. Manag Res News 27(6):31–39. https://doi.org/10.1108/01409170410784185

Salas V, Saurina J (2003) Deregulation, market power and risk behaviour in Spanish banks. Eur Econ Rev 47(6):1061–1075

Samitas A, Polyzos S (2015) To Basel or not to Basel? Banking crises and contagion. Journal of Financial Regulation and Compliance 23(3):298–318

Sarmiento M, Galán JE (2017) The influence of risk-taking on bank efficiency: evidence from Colombia. Emerg Mark Rev 32:52–73. https://doi.org/10.1016/j.ememar.2017.05.007

Schaeck K, Cihak M, Wolfe S (2009) Are competitive banking systems more stable? J Money Credit Bank 41(4):711–734

Schwerter S (2011) Basel III’s ability to mitigate systemic risk. J Financ Regul Compl 19(4):337–354

Sen S, Sen RL (2014) Impact of NPAs on bank profitability: an empirical study. In: Ray N, Chakraborty K (eds) Handbook of research on strategic business infrastructure development and contemporary issues in finance. IGI Global, pp 124–134. https://doi.org/10.4018/978-1-4666-5154-8.ch010

Chapter   Google Scholar  

Shajahan K (1998) Non-performing assets of banks: Have they really declined? And on whose account? Econ Pol Wkly 33(12):671–674

Sharifi S, Haldar A, Rao SN (2016) Relationship between operational risk management, size, and ownership of Indian banks. Manag Financ 42(10):930–942

Sharma A, Theresa L, Mhatre J, Sajid M (2019) Application of altman Z-Score to RBI defaulters: Indian case. Asian J Res Bus Econ Manag 9(4):1–11

Shehzad CT, De Haan J (2015) Supervisory powers and bank risk taking. J Int Finan Markets Inst Money 39(1):15–24

Shen L, Xiong B, Hu J (2017) Research status, hotspotsandtrends forinformation behavior in China using bibliometric and co-word analysis. J Doc 73(4):618–633

Shleifer A, Vishny RW (1997) A survey of corporate governance. J Financ 52(2):737–783

Singh HP, Kumar S (2014) Working capital management: a literature review and research agenda. Qual Res Financ Mark 6(2):173–197

Tabak BM, Fazio DM, Cajueiro DO (2013) Systemically important banks and financial stability: the case of Latin America. J Bank Financ 37(10):3855–3866

Tahamtan I, SafipourAfshar A, Ahamdzadeh K (2016) Factors affecting number of citations: a comprehensive review of the literature. Scientometrics 107(3):1195–1225

Thakor AV (2018) Post-crisis regulatory reform in banking: Address insolvency risk, not illiquidity! J Financ Stab 37(1):107–111

Thomsen S, Pedersen T (2000) Ownership structure and economic performance in the largest European companies. Strategic Manag J 21(6):689–705

Tranfield D, Denyer D, Smart P (2003) Towards a methodology for developing evidence-informed management knowledge by means of systematic review. Br J Manag 14(3):207–222

Triki T, Kouki I, Dhaou MB, Calice P (2017) Bank regulation and efficiency: What works for Africa? Res Int Bus Financ 39(1):183–205

Tsay M, Shu Z (2011) Journal bibliometric analysis: a case study on the journal of documentation. J Doc 67(5):806–822

Vento GA, La Ganga P (2009) Bank liquidity risk management and supervision: which lessons from recent market turmoil. J Money Invest Bank 10(10):78–125

Wahid ANM (1994) The grameen bank and poverty alleviation in Bangladesh: theory, evidence and limitations. Am J Econ Sociol 53(1):1–15

Xiao Y, Watson M (2019) Guidance on conducting a systematic literature review. J Plan Educ Res 39(1):93–112

Xu X, Chen X, Jia F, Brown S, Gong Y, Xu Y (2018) Supply chain finance: a systematic literature review and bibliometric analysis. Int J Prod Econ 204:160–173

Yadav M (2011) Impact of non performing assets on profitability and productivity of public sector banks in India. AFBE J 4(1):232–239

Yong-Hak J (2013), Web of Science, Thomson Reuters

Zheng C, Rahman MM, Begum M, Ashraf BN (2017) Capital regulation, the cost of financial intermediation and bank profitability: evidence from Bangladesh. J Risk Financ Manag 10(2):9

Download references

Acknowledgements

Not Applicable.

Author information

Authors and affiliations.

Symbiosis Institute of Business Management, Symbiosis International (Deemed University), Pune, India

Shailesh Rastogi, Arpita Sharma & Venkata Mrudula Bhimavarapu

SIES School of Business Studies, Navi Mumbai, India

Geetanjali Pinto

School of Commerce and Management, D Y Patil International University, Akurdi, Pune, India

Venkata Mrudula Bhimavarapu

You can also search for this author in PubMed   Google Scholar

Contributions

‘SR’ performed Abstract, Introduction, and Data methodology sections and was the major contributor; ‘AS’ performed Bibliometric and Network analysis and conceptual framework; ‘GP’ performed citation analysis and discussion section; ‘VMB’ collated data from the database and concluded the article. All authors read and approved the final manuscript.

Corresponding author

Correspondence to Venkata Mrudula Bhimavarapu .

Ethics declarations

Ethics approval and consent to participate, consent for publication, competing interests.

The authors declare that they have no competing interests.

Additional information

Publisher's note.

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/ .

Reprints and permissions

About this article

Cite this article.

Rastogi, S., Sharma, A., Pinto, G. et al. A literature review of risk, regulation, and profitability of banks using a scientometric study. Futur Bus J 8 , 28 (2022). https://doi.org/10.1186/s43093-022-00146-4

Download citation

Received : 11 March 2022

Accepted : 16 August 2022

Published : 03 September 2022

DOI : https://doi.org/10.1186/s43093-022-00146-4

Share this article

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

• Bank performance
• Profitability
• Bibliometric analysis
• Scientometric analysis

Interaction between credit risk, liquidity risk, and bank solvency performance: a panel study of Indian banks

• Published: 23 December 2023
• Volume 58 , pages 311–328, ( 2023 )

Cite this article

• Arindam Bandyopadhyay   ORCID: orcid.org/0000-0002-0771-7907 1 &
• Mayuri Saxena 2  

196 Accesses

1 Altmetric

Explore all metrics

Liquidity risk and credit risk are considered the two main sources of banking risk. This paper is an attempt to investigate their interconnectedness and impact on solvency performance banks. Using panel data of 42 public and private commercial banks in India over the period 2010–2019, we find that a bank’s liquidity as well as asset quality positions strongly influence its financial soundness (measured in terms of Z-solvency score). Further, bank size, capital positions, and income diversification are the significant drivers of a bank’s solvency performance. Our empirical results reveal that Basel 3 norms implementation by the Reserve Bank of India has strengthened the liquidity situation and the financial stability of Indian banks. We argue that it is essential for commercial banks to manage their credit risk and liquidity risk more proactively to remain financially solvent.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price includes VAT (Russian Federation)

Instant access to the full article PDF.

Rent this article via DeepDyve

Institutional subscriptions

Similar content being viewed by others

Systemic Banking Crises Database II

Technical efficiency in banks: a review of methods, recent innovations and future research agenda

Corporate Governance of Banks and Financial Institutions: Economic Theory, Supervisory Practice, Evidence and Policy

Data availability.

The authors confirm that the data that support the findings of this paper are collated from audited annual report of banks over years and from data source AceEquity.

Acharya, V. V., & Mora, N. (2015). A Crisis of Banks as Liquidity Providers. The Journal of Finance, 70 (1), 1–43.

Article   Google Scholar  

Acharya, V. V., & Viswanathan, S. (2011). Leverage, Moral Hazard, and Liquidity. The Journal of Finance, 66 (1), 99–138.

Ahmeti, Y., Ahemti, A., & Ahmeti, S. (2022). The Impact of Cost Efficiency on Liquidity Risk in the Banking Sector: Evidence from Kosovo. Cuadernos De Economia, 45 (127), 113–119.

Google Scholar  

Almarzoqi, R., Naceur, S. B., and Scopelliti, A. D. (2015). How Does Bank Competition Affect Solvency, Liquidity and Credit Risk?, IMF Working Paper, No. WP/15/210.

Arellano, M., & Bond, S. (1991). Some Tests of Specification for Panel Data: Monte Carlo Evidence and an Application to Employment Equations. The Review of Economic Studies, 58 (2), 277–297.

Basmann, R. L. (1960). On Finite Sample Distributions of Generalized Classical Linear Identifiability Test Statistics. Journal of the American Statistical Association, 55 (292), 650–659.

Article   MathSciNet   Google Scholar  

Bawa, J. K., & Basu, S. (2020). Restructuring Assets Reform, 2013: Impact of Operational Ability, Liquidity, Bank Capital, Profitability and Capital on Bank Credit Risk. IIMB Management Review, 32 , 267–279.

BCBS, (2010). Basel 3: A global regulatory framework for more resilient banks and banking system, December, BIS.

BCBS (2013). Basel 3: The Liquidity Coverage Ratio and Liquidity Risk Monitoring Tools, January, BIS.

Beck, T., Jonghe, O. D., & Schepens, G. (2013). Bank Competition and Stability: Cross-country Heterogeneity. Journal of Financial Intermediation, 22 (2), 218–244.

Blundell, R., & Bond, S. (1998). Initial Conditions and Moment Restrictions in Dynamic Panel Models. Journal of Econometrics, 87 (1), 115–143.

Bonfim, D., & Kim, M. (2012). Liquidity Risk in Banking: Is There Herding? European Banking Center Discussion Paper No. 2012–024.

Bryant, J. (1980). A Model of Reserves, Bank Runs, and Deposit Insurance. Journal of Banking and Finance, 4 (4), 335–344.

Cai, R., & Zhang M. (2017). How does Credit Risk Influence Liquidity Risk? Evidence from Ukrainian Banks. VISNYK of the National Bank of Ukraine, Working Paper No.241, pp.21–33.

Davidson, R., & MacKinnon, J. G. (1993). Estimation and Inference in Econometrics . Oxford University Press.

Dermine, J. (1986). Deposit Rates, Credit Rates, and Bank Capital: The Klien- Monti Model Revisited. Journal of Banking and Finance, 10 (1), 99–114.

Diamond, D. W., & Dybvig, P. H. (1983). Bank Runs, Deposit runs, and Liquidity. Journal of Political Economy, 91 (3), 401–419.

Ghenimi, A., Chaibi, H., & Omri, M. A. B. (2017). The Effects of Liquidity Risk and Credit Risk on Bank Stability: Evidence from MENA Region. Borsa Istanbul Review, 17 (4), 238–248.

Hakimi, A., Boussada, R., & Hamdi, H. (2020). The Interactional Relationships between Credit Risk, Liquidity Risk and Bank Profitability in MENA Region. Global Business Review, 23 (3), 1–23.

He, Z., & Xiong, W. (2012). Rollover Risk and Credit Risk. The Journal of Finance, 57 (2), 391–429.

Hetrich, M. (2015). Does Credit Risk Impact Liquidity Risk? Evidence from Credit Default Swap Markets. International Journal of Applied Economics, 12 (2), 1–46.

Imbierowicz, B., & Rauch, C. (2014). The Relationship between Liquidity Risk and Credit Risk in Banks. Journal of Banking and Finance, 40 , 242–256.

Juodis, A., Karavias, Y., & Sarafidis, V. (2021). A homogeneous approach to testing for granger non-causality in heterogeneous panels. Empirical Economics , 60 , 93–112.

Kannan, R., Narain, A., & Ghosh, S. (2001). Determinants of Net Interest Margin under Regulatory Requirements: An Econometric Study. Economic and Political Weekly . January, 337–344.

Mpofu, T. R., & Nikolaidou (2018). Determinants of Credit Risk in the Banking System in Sub-Saharan Africa. Review of Development Finance , 8, 141-153

Sargan, J. D. (1958). The Estimation of Economic Relationships Using Instrumental Variables. Econometrica, 26 (3), 393–415.

Tehulu, T. A., & Olana, D. R. (2014). Bank-Specific Determinants of Credit Risk: Empirical Evidence from Ethiopian Banks. Research Journal of Finance and Accounting., 5 (7), 80–85.

Williams, B. (2007). Factors Determining Net Interest Margins in Australia: Domestic and Foreign Banks. Journal of Financial Markets, Institutions and Instruments., 16 (3), 119–165.

Wooldridge, J. M. (1995). Score Diagnostics for Linear Models Estimated by Two Stage Least Squares. In Advances in Econometrics and Quantitative Economics: Essays in Honor of Professor C. R. Rao , ed. G. S. Maddala, P. C. B. Phillips, and T. N. Srinivasan, 66–87. Oxford: Blackwell.

Zellner, A. (1962). An Efficient Method of Estimating Seemingly Unrelated Regression Equations and Tests of Aggregation Bias. Journal of the American Statistical Association., 57 , 500–509.

Download references

Acknowledgements

Authors gratefully acknowledge helpful comments and suggestions received from two anonymous reviewers to further improve this paper. We are thankful to the editor for invaluable suggestions during the revision process. All remaining errors are the author’s own.

This research received no specific grant from any funding agency in the public, commercial, or not-for-profit sectors.

Author information

Authors and affiliations.

National Institute of Bank Management (NIBM), Pune, India

Arindam Bandyopadhyay

Accenture, Bengaluru, India

Mayuri Saxena

You can also search for this author in PubMed   Google Scholar

Corresponding author

Correspondence to Arindam Bandyopadhyay .

Ethics declarations

Conflict of interest.

The authors declare that there is no conflict of interest.

Additional information

Publisher's note.

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Bandyopadhyay, A., Saxena, M. Interaction between credit risk, liquidity risk, and bank solvency performance: a panel study of Indian banks. Ind. Econ. Rev. 58 , 311–328 (2023). https://doi.org/10.1007/s41775-023-00202-y

Download citation

Accepted : 27 November 2023

Published : 23 December 2023

Issue Date : December 2023

DOI : https://doi.org/10.1007/s41775-023-00202-y

Share this article

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

• Credit risk
• Liquidity risk
• Bank solvency performance

JEL Classification

• Find a journal
• Publish with us
• Track your research

Information

• Author Services

Initiatives

You are accessing a machine-readable page. In order to be human-readable, please install an RSS reader.

All articles published by MDPI are made immediately available worldwide under an open access license. No special permission is required to reuse all or part of the article published by MDPI, including figures and tables. For articles published under an open access Creative Common CC BY license, any part of the article may be reused without permission provided that the original article is clearly cited. For more information, please refer to https://www.mdpi.com/openaccess .

Feature papers represent the most advanced research with significant potential for high impact in the field. A Feature Paper should be a substantial original Article that involves several techniques or approaches, provides an outlook for future research directions and describes possible research applications.

Feature papers are submitted upon individual invitation or recommendation by the scientific editors and must receive positive feedback from the reviewers.

Editor’s Choice articles are based on recommendations by the scientific editors of MDPI journals from around the world. Editors select a small number of articles recently published in the journal that they believe will be particularly interesting to readers, or important in the respective research area. The aim is to provide a snapshot of some of the most exciting work published in the various research areas of the journal.

Original Submission Date Received: .

• Active Journals
• Find a Journal
• Proceedings Series
• For Authors
• For Reviewers
• For Editors
• For Librarians
• For Publishers
• For Societies
• For Conference Organizers
• Open Access Policy
• Institutional Open Access Program
• Special Issues Guidelines
• Editorial Process
• Research and Publication Ethics
• Article Processing Charges
• Testimonials
• Preprints.org
• SciProfiles
• Encyclopedia

Article Menu

• Subscribe SciFeed
• Recommended Articles
• Google Scholar
• on Google Scholar
• Table of Contents

Find support for a specific problem in the support section of our website.

Please let us know what you think of our products and services.

Visit our dedicated information section to learn more about MDPI.

JSmol Viewer

Machine learning in banking risk management: a literature review.

1. Introduction

2. theoretical background, 2.1. risk management at banks, 2.2. machine learning, 3. materials and methods, 3.1. credit risk, 3.2. market risk, 3.3. liquidity risk, 3.4. operational risk, 4. discussion, 5. conclusions, author contributions, conflicts of interest.

• Ala’raj, Maher, and Maysam F. Abbod. 2016a. A New Hybrid Ensemble Credit Scoring Model Based on Classifiers Consensus System Approach. Expert Systems with Applications 64: 36–55. [ Google Scholar ] [ CrossRef ]
• Ala’Raj, Maher, and Maysam F. Abbod. 2016b. Classifiers Consensus System Approach for Credit Scoring. Knowledge-Based Systems 104: 89–105. [ Google Scholar ] [ CrossRef ]
• Apostolik, Richard, Christopher Donohue, Peter Went, and Global Association of Risk Professionals. 2009. Foundations of Banking Risk: An Overview of Banking, Banking Risks, and Risk-Based Banking Regulation . New York: John Wiley. [ Google Scholar ]
• Arezzo, Maria, and Giuseppina Guagnano. 2018. Response-Based Sampling for Binary Choice Models with Sample Selection. Econometrics 6: 12. [ Google Scholar ] [ CrossRef ]
• Awad, Mariette, and Rahul Khanna. 2015. Machine Learning in Action: Examples. Efficient Learning Machines . [ Google Scholar ] [ CrossRef ]
• Aziz, Saqib, and Michael M. Dowling. 2018. AI and Machine Learning for Risk Management. SSRN Electronic Journal . [ Google Scholar ] [ CrossRef ]
• Bacham, Dinesh, and Janet Zhao. 2017. Machine Learning: Challenges and Opportunities in Credit Risk Modeling. Available online: https://www.moodysanalytics.com/risk-perspectives-magazine/managing-disruption/spotlight/machine-learning-challenges-lessons-and-opportunities-in-credit-risk-modeling (accessed on 2 April 2018).
• Barboza, Flavio, Herbert Kimura, and Edward Altman. 2017. Machine learning models and bankruptcy prediction. Expert Systems with Applications 83: 405–17. [ Google Scholar ] [ CrossRef ]
• Basel Committee on Banking Supervision. 2005a. Guidance on Paragraph 468 of the Framework Document . Basel: Bank for International Settlements. [ Google Scholar ]
• Basel Committee on Banking Supervision. 2005b. An Explanatory Note on the Basel II IRB Risk Weight Functions . Basel: Bank for International Settlements. [ Google Scholar ]
• Basel Committee on Banking Supervision. 2006. Minimum Capital Requirements for Market Risk . Basel: Bank for International Settlements. [ Google Scholar ]
• Basel Committee on Banking Supervision. 2008. Principles for Sound Liquidity Risk Management and Supervision . Basel: Bank for International Settlements. [ Google Scholar ]
• Basel Committee on Banking Supervision. 2011. Principles for the Sound Management of Operational Risk . Basel: Bank for International Settlements, pp. 1–27. [ Google Scholar ]
• Bastos, João A. 2014. Ensemble Predictions of Recovery Rates. Journal of Financial Services Research 46: 177–93. [ Google Scholar ] [ CrossRef ]
• Bauguess, Scott W. 2015. The Hope and Limitations of Machine Learning in Market Risk Assessment . Washington, DC: U.S. Securities and Exchange Commission. [ Google Scholar ]
• Bellotti, Tony, and Jonathan Crook. 2009. Support Vector Machines for Credit Scoring and Discovery of Significant Features. Expert Systems with Applications . [ Google Scholar ] [ CrossRef ]
• Blom, Tineke. 2015. Top down Stress Testing: An Application of Adaptive Lasso to Forecasting Credit Loss Rates. Master’s Thesis, Faculty of Science, Hongkong, China. [ Google Scholar ]
• Brown, Iain, and Christophe Mues. 2012. An experimental comparison of classification algorithms for imbalanced credit scoring data sets. Expert Systems with Applications 39: 3446–53. [ Google Scholar ] [ CrossRef ]
• Cao, Jie, Hongke Lu, Weiwei Wang, and Jian Wang. 2013. A Loan Default Discrimination Model Using Cost-Sensitive Support Vector Machine Improved by PSO. Information Technology and Management 14: 193–204. [ Google Scholar ] [ CrossRef ]
• Chan-Lau, Jorge. 2017. Lasso Regressions and Forecasting Models in Applied Stress Testing. IMF Working Papers 17: 1. [ Google Scholar ] [ CrossRef ]
• Chen, Ning, Bernardete Ribeiro, and An Chen. 2016. Financial Credit Risk Assessment: A Recent Review. Artificial Intelligence Review 45: 1–23. [ Google Scholar ] [ CrossRef ]
• Dal Pozzolo, Andrea. 2015. Adaptive Machine Learning for Credit Card Fraud Detection. Unpublished doctoral dissertation, Université libre de Bruxelles, Faculté des Sciences—Informatique, Bruxelles. [ Google Scholar ]
• Deloitte University Press. 2017. Global Risk Management Survey , 10th ed. Deloitte University Press: Available online: https://www2.deloitte.com/tr/en/pages/risk/articles/global-risk-management-survey-10th-ed.html (accessed on 4 October 2018).
• Financial Stability Board. 2017. Artificial Intelligence and Machine Learning in Financial Services. Market Developments and Financial Stability Implications. Financial Stability Board . November 1. Available online: http://www.fsb.org/2017/11/artificial-intelligence-and-machine-learning-in-financial-service/ (accessed on 2 July 2018).
• Galindo, Jorge, and Pablo Tamayo. 2000. Credit Risk Assessment Using Statistical and Machine Learning: Basic Methodology and Risk Modeling Applications. Computational Economics 15: 107–43. [ Google Scholar ] [ CrossRef ]
• Gotoh, Jun-ya, Akiko Takeda, and Rei Yamamoto. 2014. Interaction between financial risk measures and machine learning methods. Computational Management Science 11: 365–402. [ Google Scholar ] [ CrossRef ]
• Greene, William H. 1992. A Statistical Model for Credit Scoring. NYU Working Paper No. EC-92-29. Available online: https://ssrn.com/abstract=1867088 (accessed on 8 April 1992).
• Guegan, Dominique, Peter Addo, and Bertrand Hassani. 2018. Credit risk analysis using machine and deep learning models. Risks 6: 38. [ Google Scholar ]
• Hamori, Shigeyuki, Minami Kawai, Takahiro Kume, Yuji Murakami, and Chikara Watanabe. 2018. Ensemble Learning or Deep Learning? Application to Default Risk Analysis. Journal of Risk and Financial Management 11: 12. [ Google Scholar ] [ CrossRef ]
• Hand, David J., and William E. Henley. 1997. Statistical Classification Methods in Consumer Credit Scoring: A Review. Journal of the Royal Statistical Society Series A: Statistics in Society . [ Google Scholar ] [ CrossRef ]
• Harris, Terry. 2013. Quantitative credit risk assessment using support vector machines: Broad versus Narrow default definitions. Expert Systems with Applications 40: 4404–13. [ Google Scholar ] [ CrossRef ]
• Helbekkmo, Hans, Alok Kshirsagar, Andreas Schlosser, Francesco Selandari, Uwe Stegemann, and Joyce Vorholt. 2013. Enterprise Risk Management—Shaping the Risk Revolution . New York: McKinsey & Co., Available online: www.rmahq.org (accessed on 18 June 2018).
• Huang, Cheng Lung, Mu Chen Chen, and Chieh Jen Wang. 2007. Credit Scoring with a Data Mining Approach Based on Support Vector Machines. Expert Systems with Applications 33: 847–56. [ Google Scholar ] [ CrossRef ]
• Hull, John. 2012. Risk Management and Financial Institutions . New York: John Wiley and Sons, vol. 733. [ Google Scholar ]
• Islam, Tushith, Christos Vasilopoulos, and Erik Pruyt. 2013. Stress—Testing Banks under Deep Uncertainty. Paper presented at the 31st International Conference of the System Dynamics Society, Cambridge, MA, USA, July 21–25; Available online: http://repository.tudelft.nl/islandora/object/uuid:c162de43-4235-4d29-8eed-3246df87e119?collection=education (accessed on 17 July 2018).
• Jacobs, Michael, Jr. 2018. The validation of machine-learning models for the stress testing of credit risk. Journal of Risk Management in Financial Institutions 11: 218–43. [ Google Scholar ]
• Jorion, Philippe. 2007. Value at Risk: The New Benchmark for Managing Financial Risk . New York: McGraw-Hill. [ Google Scholar ]
• Kanevski, Mikhail F., and Vadim Timonin. 2010. Machine learning analysis and modeling of interest rate curves. Paper presented at the 18th European Symposium on Artificial Neural Networks ESANN, Bruges, Belgium, April 28–30; Available online: https://www.elen.ucl.ac.be/Proceedings/esann/esannpdf/es2010-17.pdf (accessed on 18 June 2018).
• Kannan, Somasundaram, and K. Somasundaram. 2017. Autoregressive-Based Outlier Algorithm to Detect Money Laundering Activities. Journal of Money Laundering Control 20: 190–202. [ Google Scholar ] [ CrossRef ]
• Keramati, Abbas, and Niloofar Yousefi. 2011. A proposed classification of data mining techniques in credit scoring. Paper presented at the 2011 International Conference of Industrial Engineering and Operations Management, Kuala Lumpur, Malaysia, January 22–24. [ Google Scholar ]
• Khandani, Amir E., Adlar J. Kim, and Andrew W. Lo. 2010. Consumer credit-risk models via machine-learning algorithms. Journal of Banking & Finance 34: 2767–87. [ Google Scholar ]
• Khrestina, Marina Pavlovna, Dmitry Ivanovich Dorofeev, Polina Andreevna Kachurina, Timur Rinatovich Usubaliev, and Aleksey Sergeevich Dobrotvorskiy. 2017. Development of Algorithms for Searching, Analyzing and Detecting Fraudulent Activities in the Financial Sphere. European Research Studies Journal 20: 484–98. [ Google Scholar ]
• Lai, Kin Keung, Lean Yu, Ligang Zhou, and Shouyang Wang. 2006. Credit risk evaluation with least square support vector machine. In International Conference on Rough Sets and Knowledge Technology . Berlin/Heidelberg: Springer, pp. 490–95. [ Google Scholar ]
• Lessmann, Stefan, Bart Baesens, Hsin Vonn Seow, and Lyn C. Thomas. 2015. Benchmarking State-of-the-Art Classification Algorithms for Credit Scoring: An Update of Research. European Journal of Operational Research 247: 124–36. [ Google Scholar ] [ CrossRef ]
• Mahdavi-Damghani, Babak, and Stephen Roberts. 2017. A Proposed Risk Modeling Shift from the Approach of Stochastic Differential Equation towards Machine Learning Clustering: Illustration with the Concepts of Anticipative and Responsible VaR. SSRN Electronic Journal . [ Google Scholar ] [ CrossRef ]
• Mainelli, Michael, and Mark Yeandle. 2006. Best execution compliance: New techniques for managing compliance risk. The Journal of Risk Finance 7: 301–12. [ Google Scholar ] [ CrossRef ]
• Malhotra, Rashmi, and D. K. Malhotra. 2003. Evaluating Consumer Loans Using Neural Networks. Omega 31: 83–96. [ Google Scholar ] [ CrossRef ]
• MetricStream. 2018. The Chief Risk Officer’s Role in 2018 and Beyond Managing the Challenges and Opportunities of a Digital Era New Roles of the CRO. Available online: https://www.metricstream.com/insights/chief-risk-officer-role-2018.htm (accessed on 23 June 2018).
• Monfared, Soheil Almasi, and David Enke. 2014. Volatility Forecasting Using a Hybrid GJR-GARCH Neural Network Model. Procedia Computer Science 36: 246–53. [ Google Scholar ] [ CrossRef ]
• Ngai, Eric W. T., Yong Hu, Yiu Hing Wong, Yijun Chen, and Xin Sun. 2011. The Application of Data Mining Techniques in Financial Fraud Detection: A Classification Framework and an Academic Review of Literature. Decision Support Systems 50: 569. [ Google Scholar ] [ CrossRef ]
• Oliver Wyman. 2017. Next Generation Risk Management. Available online: https://www.oliverwyman.com/content/dam/oliver-wyman/v2/publications/2017/aug/Next_Generation_Risk_Management_Targeting_A-Technology_Dividend.pdf (accessed on 1 May 2018).
• Pavlenko, Tatjana, and Oleksandr Chernyak. 2009. Bayesian Networks for Modeling and Assessment of Credit Concentration Risks. International Statistical Conference Prague. Available online: http://www.czso.cz/conference2009/proceedings/data/methods/pavlenko_paper.pdf (accessed on 21 July 2018).
• Peters, Gareth, Pavel V. Shevchenko, Ruben Cohen, and Diane Maurice. 2017. Statistical Machine Learning Analysis of Cyber Risk Data: Event Case Studies. Available online: https://ssrn.com/abstract=3073704 (accessed on 18 June 2018).
• Proofpoint. 2010. MLX Whitepaper “Machine Learning to Beat Spam Today and Tomorrow”. Available online: https://www.excelmicro.com/datasheets/Proofpoint-White-Paper-MLX-Technology.pdf (accessed on 2 May 2018).
• Pun, Joseph, and Yuri Lawryshyn. 2012. Improving credit card fraud detection using a meta-classification strategy. International Journal of Computer Applications 56: 41–46. [ Google Scholar ] [ CrossRef ]
• Raei, Reza, Mahdi Saeidi Kousha, Saeid Fallahpour, and Mohammad Fadaeinejad. 2016. A Hybrid Model for Estimating the Probability of Default of Corporate Customers. Iranian Journal of Management Studies 9: 651–73. [ Google Scholar ]
• Ray, Sunil. 2015. Understanding Support Vector Machine Algorithm from Examples (along with Code). Available online: https://www.analyticsvidhya.com/blog/2017/09/understaing-support-vector-machine-example-code/ (accessed on 16 August 2018).
• Sala, Jordi Petchamé. 2011. Liquidity Risk Modeling Using Artificial Neural Network. Master’s thesis, Universitat Politècnica de Catalunya, Barcelona, Spain. [ Google Scholar ]
• Saunders, Anthony, Marcia Millon Cornett, and Patricia Anne McGraw. 2006. Financial Institutions Management: A Risk Management Approach . New York: McGraw-Hill. [ Google Scholar ]
• Shalev-Shwartz, Shai, and Shai Ben-David. 2014. Understanding Machine Learning: From Theory to Algorithms . Cambridge: Cambridge University Press. [ Google Scholar ] [ CrossRef ]
• Sharma, Shashank, and Arjun Roy Choudhury. 2016. Fraud Analytics: A Survey on Bank Fraud Prediction Using Unsupervised Learning Based Approach. International Journal of Innovation in Engineering Research and Technology 3: 1–9. [ Google Scholar ]
• Sudjianto, Agus, Sheela Nair, Ming Yuan, Aijun Zhang, Daniel Kern, and Fernando Cela-Díaz. 2010. Statistical Methods for Fighting Financial Crimes. Technometrics 52: 5–19. [ Google Scholar ] [ CrossRef ]
• Tavana, Madjid, Amir Reza Abtahi, Debora Di Caprio, and Maryam Poortarigh. 2018. An Artificial Neural Network and Bayesian Network Model for Liquidity Risk Assessment in Banking. Neurocomputing 275: 2525–54. [ Google Scholar ] [ CrossRef ]
• Vaidya, Avanti H., and Sudhir W. Mohod. 2014. Internet Banking Fraud Detection using HMM and BLAST-SSAHA Hybridization. International Journal of Science and Research (IJSR) 3: 574–9. [ Google Scholar ]
• Van Gestel, Ir Tony, Bart Baesens, Ir Joao Garcia, and Peter Van Dijcke. 2003. A support vector machine approach to credit scoring. In Forum Financier—Revue Bancaire Et Financiaire Bank En Financiewezen . Bruxelles: Larcier, pp. 73–82. Available online: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.93.6492&rep=rep1&type=pdf (accessed on 7 July 2018).
• Van Liebergen, Bart. 2017. Machine Learning: A Revolution in Risk Management and Compliance? Journal of Financial Transformation 45: 60–67. [ Google Scholar ]
• Van-Sang, Ha, and Ha-Nam Nguyen. 2016. Credit Scoring with a Feature Selection Approach Based Deep Learning. In MATEC Web of Conferences . Les Ulis: EDP Sciences, volume 54, p. 05004. Available online: https://www.matec-conferences.org/articles/matecconf/abs/2016/17/matecconf_mimt2016_05004/matecconf_mimt2016_05004.html (accessed on 19 July 2018).
• Villalobos, Miguel Agustín, and Eliud Silva. 2017. A Statistical and Machine Learning Model to Detect Money Laundering: An Application. Available online: http://hddavii.eventos.cimat.mx/sites/hddavii/files/Miguel_Villalobos.pdf (accessed on 21 June 2018).
• Wang, Yongqiao, Shouyang Wang, and Kin Keung Lai. 2005. A New Fuzzy Support Vector Machine to Evaluate Credit Risk. IEEE Transactions on Fuzzy Systems 13: 820–31. [ Google Scholar ] [ CrossRef ]
• Wang, Hong, Qingsong Xu, and Lifeng Zhou. 2015. Large Unbalanced Credit Scoring Using Lasso-Logistic Regression Ensemble. PLoS ONE 10: e0117844. [ Google Scholar ] [ CrossRef ] [ PubMed ]
• Wójcicka, Aleksandra. 2017. Neural Networks vs. Discriminant Analysis in the Assessment of Default. Electronic Economy , 339–49. [ Google Scholar ] [ CrossRef ]
• Yang, Zijiang, Wenjie You, and Guoli Ji. 2011. Using partial least squares and support vector machines for bankruptcy prediction. Expert Systems with Applications 38: 8336–42. [ Google Scholar ] [ CrossRef ]
• Yao, Xiao, Jonathan Crook, and Galina Andreeva. 2015. Support vector regression for loss given default modelling. European Journal of Operational Research 240: 528–38. [ Google Scholar ] [ CrossRef ]
• Yao, Xiao, Jonathan Crook, and Galina Andreeva. 2017. Enhancing two-stage modelling methodology for loss given default with support vector machines. European Journal of Operational Research 263: 679–89. [ Google Scholar ] [ CrossRef ]
• Yeh, I. Cheng, and Chehui Lien. 2009. The Comparisons of Data Mining Techniques for the Predictive Accuracy of Probability of Default of Credit Card Clients. Expert Systems with Applications . [ Google Scholar ] [ CrossRef ]
• Yu, Lean, Zebin Yang, and Ling Tang. 2016. A Novel Multistage Deep Belief Network Based Extreme Learning Machine Ensemble Learning Paradigm for Credit Risk Assessment. Flexible Services and Manufacturing Journal 28: 576–92. [ Google Scholar ] [ CrossRef ]
• Zareapoor, Masoumeh, and Pourya Shamsolmoali. 2015. Application of Credit Card Fraud Detection: Based on Bagging Ensemble Classifier. Procedia Computer Science 48: 679–86. [ Google Scholar ] [ CrossRef ]
• Zhang, Wenhao. 2017. Machine Learning Approaches to Predicting Company Bankruptcy. Journal of Financial Risk Management 6: 364–74. [ Google Scholar ] [ CrossRef ]
• Zhang, Heng Guo, Chi Wei Su, Yan Song, Shuqi Qiu, Ran Xiao, and Fei Su. 2017. Calculating Value-at-Risk for High-Dimensional Time Series Using a Nonlinear Random Mapping Model. Economic Modelling 67: 355–67. [ Google Scholar ] [ CrossRef ]
• Zhou, Lifeng, and Hong Wang. 2012. Loan Default Prediction on Large Imbalanced Data Using Random Forests. TELKOMNIKA Indonesian Journal of Electrical Engineering . [ Google Scholar ] [ CrossRef ]

Click here to enlarge figure

Share and Cite

Leo, M.; Sharma, S.; Maddulety, K. Machine Learning in Banking Risk Management: A Literature Review. Risks 2019 , 7 , 29. https://doi.org/10.3390/risks7010029

Leo M, Sharma S, Maddulety K. Machine Learning in Banking Risk Management: A Literature Review. Risks . 2019; 7(1):29. https://doi.org/10.3390/risks7010029

Leo, Martin, Suneel Sharma, and K. Maddulety. 2019. "Machine Learning in Banking Risk Management: A Literature Review" Risks 7, no. 1: 29. https://doi.org/10.3390/risks7010029

Article Metrics

Article access statistics, further information, mdpi initiatives, follow mdpi.

Subscribe to receive issue release notifications and newsletters from MDPI journals

Banking on interest rates: A playbook for the new era of volatility

The recent accelerated rise in global interest rates, the fastest in decades, brought the curtain down on an extended period of cheap money but provided little clarity on the longer-term outlook. In 2024, competing forces of tepid growth, geopolitical tension, and regional conflict are creating nearly equal chances of higher-for-longer benchmark rates and rapid cuts. In the banking industry, this uncertainty presents both risks and opportunities. But in the absence of recent precedent, many institutions lack the necessary playbook to tackle the challenge.

As rates have risen from their record lows, banks have in general profited from rising net interest margins (NIMs). However, if policy makers switch swiftly into cutting mode, banks may see the opposite effect. For now, futures markets predict the start of that process toward the end of 2024. In that context, the question facing risk managers is how they can retain the benefit of higher rates while preparing for cuts and managing the potential for macroeconomic surprises.

The question facing risk managers is how they can retain the benefit of higher rates while preparing for cuts and managing the potential for macroeconomic surprises.

The volatility playing out in rates markets is reflected in bank deposit trends, with customers more actively managing their cash to make the most of shifting monetary conditions. In Europe, deposits reached 63 percent of available stable funding (ASF) in 2023, compared with 57 percent in 2021. 1 Monitoring of liquidity coverage ratio and net stable funding ratio implementation in the EU – third report, European Banking Authority, June 15, 2023. In the US, conversely, the share of deposits over total liabilities fell over a similar period as money migrated to investments such as money market funds.

In the face of accelerating deposit flows, McKinsey research shows that bank risk management and funding performance has been highly variable. Between 2021 and 2023, the best-performing US and EU banks saw interest rate expenses rise 70 percent less than at the worst-performing banks (Exhibit 1). Among the drivers were better deposit and interest rate management.

Alongside the impacts of deposit flows, funding has come under pressure from other factors, including the steady withdrawal of pandemic-related central bank liquidity facilities. Meanwhile, innovations such as instant payments have motivated customers to make faster and larger transfers. These withdrawals can happen quickly and be fueled by social media, creating a powerful new species of risk.

In the context of a more uncertain environment, regulatory authorities are doubling down on oversight of the potential impacts of rate volatility—for example, by asking banks to mitigate the potential effects of rate normalization, increasing overall scrutiny, and demanding evidence of methodology upgrades. Among European supervisory priorities for 2024–26, banks are advised to sharpen their governance and strategic frameworks to strengthen asset and liability management (ALM) and develop new funding plans and contingency measures for short-term liquidity shocks, including evaluating the adequacy of assumptions supporting some behavioral models. 2 “SSM Supervisory Priorities, 2024-2026,” in Supervisory priorities and assessment of risks and vulnerabilities , European Central Bank, 2023. In the same vein, the Basel Committee on Banking Supervision in 2023 proposed a recalibration of shocks for interest rate risk in the banking book. Banks can achieve this by extending the time series used in model calibration from the current December 2015 standard to December 2022, bringing more volatile rate distributions into the equation.

In a recent McKinsey roundtable, 40 percent of Europe, Middle East, and Africa bank treasurers said the topic that will attract most regulatory attention in the coming period is liquidity risk, followed by capital risk and interest rate risk in the banking book (IRRBB). With these risks in mind, 34 percent of treasurers said their top priorities with respect to rate risk were enhancing models and analytics, revising pricing strategies on loans and deposits, and beefing up ALM governance and monitoring capabilities.

Most participants also expected treasury teams to get more involved in strategic planning and board engagement and to engage business units more closely to define pricing strategies and product innovation (Exhibit 2).

In response to these dynamics, we expect to see many banks revisiting the role of the treasury function in the months ahead. For many, this will mean moving away from approaches designed for the low-rate era and toward those predicated on uncertainty. In this article, we discuss how forward-looking banks are redesigning their treasury functions to obtain deeper insights into probabilities around interest rates and their impacts on pricing, customer behavior, deposits, and liquidity.

Five steps to enhancing the treasury function

To manage volatile interest rates more effectively, leading banks are revisiting practices in the treasury function that evolved during the low-interest-rate period and may no longer be fit for purpose—or at least should be updated for the new environment. Pioneers have taken steps in five broad focus areas: steering and monitoring, risk measurement and capabilities, stress testing, bank funding, and hedging.

Build efficiency and sophistication

A precondition of effective oversight of interest rate business is to ensure decision makers have a clear view of the current state of play. Currently, the standard approach across the industry is somewhat passive, meaning it is based on static or seldom-reviewed pricing and risk management decisions, often taken by relationship managers. Models are fed with low-frequency data, and banks use static fund transfer pricing (FTP) to calculate net interest margins. Monitoring often reflects regulatory timelines rather than the desire to optimize decision making.

Forward-looking banks are tackling these challenges through a more hands-on approach to steering and monitoring, including the following measures:

• dynamic reviews of FTP, reflecting microsegment behaviors and pricing strategies tied to customer lifetime value and the opportunity cost of liquidity
• increased product innovation to boost funding from both corporate and retail clients
• ensuring access to high-quality, frequent, and granular data, with systems equipped to send early warning signals on potential changes in customer behaviors, especially to capture early signs of liquidity shifts
• use of risk limits and targets as active steering mechanisms, bolstered by links to incentives
• automation of reporting and monitoring, so liquidity and other events can be scaled internally much faster, backed by real-time data where possible

Upgrade IRRBB measurement and capabilities

Leading banks are getting a grip on IRRBB risk in areas such as balance sheet management, pricing, and collateral. Many have assembled dedicated teams to help them make more effective decisions. Given the threat to deposits, some are making greater use of scenario-based frameworks, bringing together liquidity and interest rate risk management. They are using real-time data to inform funding and pricing decisions.

To ensure they consider all aspects of rate risk, leading banks employ a cascade of models, feeding the outputs into steering and stress-testing frameworks, and capturing behavioral indicators that can inform balance sheet planning and hedging activities. Some banks are employing behavioral models to forecast loan acceptance rates and credit line drawings. Best practice involves using statistical grids differentiated by type of customer, product, and process phase.

When it comes to loans, some banks are leveraging AI to predict prepayments and their impacts on balance sheets and hedging requirements. Best practice in prepayments modeling is to move away from linear models and toward machine learning algorithms such as random forests to consider nonlinear relationships (for instance, between prepayments and interest rate variation) and loan features (for example, embedded options), as well as behavioral factors. We see five key steps:

• Customer segmentation . Banks can use AI to achieve granulated segmentation—for example, incorporating behavioral factors.
• Prepayment behavior . Banks can quantify constant prepayments and prepayments subject to criteria including interest rate levels, prepayment penalties, age of mortgage, and borrower characteristics. Leading banks establish a parent model and leverage customer segmentation to derive dedicated prepayment functions, taking into account customer protections such as statutory payment holidays.
• Interest rate scenarios . Banks can employ Monte Carlo simulations and other models to analyze a range of scenarios, including extreme and regulatory scenarios, and simulate potential prepayment behaviors for each scenario.
• Hedging ratios and strategy . Decision makers should evaluate the value of mortgages under different interest scenarios and derive sensitivities to economic value and P&L. They can then select hedging instruments with the aim of neutralizing scenario impacts.
• Pricing . Mortgage pricing can be adjusted based on maturity and potential prepayment behavior. Banks can use fund transfer pricing, with risks handled by a dedicated team in the treasury function.

Another important focus area is deposit decay. Many banks still prioritize moving-average approaches segmented by maturity and backed by expert judgment. A best practice would be to identify a core balance through a combined expert and statistical approach, looking at trends across customer segmentation, core balance modeling, deposit volume modeling, deposit beta and pass-through rates, and replicating portfolio/hedge strategies. This would mean leveraging AI and high-frequency data relating to transactions, to estimate each account’s non-operational liquidity, which customers may be more likely to move elsewhere (see sidebar “Case study: Deposit modeling to limit deposit erosion”). Some banks also use survival models to gauge non-linearities in deposit behaviors.

Case study: Deposit modeling to limit deposit erosion

One bank achieved an equivalent of €150 million to €200 million positive P&L impact on €30 billion of deposits by using AI techniques for repricing. The tool provided transparency on the following measures:

• the amount of liquidity at risk for each client—that is, the excess liquidity the client could potentially invest or move freely to other banks
• the churn probability for each client, or the probability the client would move the liquidity if the bank took no action, based on client sophistication, the quality and intensity of the client’s relationship with the bank, and the level of market competition
• the customer value at risk, an estimate of future revenues that would be at risk if the client moved the liquidity elsewhere (for example, including not only the opportunity cost of funding, but also revenues from related services)

Armed with this transparency, the bank was able to formulate client-specific strategies for repricing actions and product offerings (for example, investment products and transaction banking services), optimizing both its funding sources and profitability. New capabilities to support the effort included a deposits command center, producing a real-time dashboard for monitoring, including early warning triggers, sales team mobilization, and new product offering, especially for cash-rich corporate clients.

In the context of IRRBB strategy, leading banks are keeping a close eye on both deposit beta and pass-through rates (the portion of a change in the benchmark rate that is passed on to the deposit rate). They back their judgments with views on client stickiness, which they traditionally arrive at through expert judgment and market research. A more advanced approach is to derive regime-based elasticities, capturing data from historical economic cycles.

Better modeling enables more resilience: One bank’s story

A European global bank wanted to improve its forecasting in a rising-interest-rate context. Managers decided to focus more on customer behavior. They moved away from expert-judgment buffers to AI and stochastic modeling and a more focused approach to model calibration. They also updated scenario planning based on regulatory guidelines and best-in-class approaches, such as an interest rate risk in the banking book (IRRBB) dynamic balance sheet methodology. Through these changes, the bank was able to estimate its duration gap (between assets and liabilities) more accurately and thereby reduce delta economic value of equity (EVE). As a result, the bank recorded a 70-basis-point uplift in return on equity, resulting from capital savings on interest rate risk and a direct P&L impact from reduced hedging.

Finally, risks need to be optimally matched with hedges. The recent trend is to use stochastic models to support hedging decisions, enabling banks to gauge non-linearities. Forward-looking banks increasingly integrate deposit, prepayment, and pipeline modeling directly into their hedging strategies. They also ensure model risk is closely monitored, with models recalibrated frequently to reduce reliance on expert input (see sidebar “Better modeling enables more resilience: One bank’s story”).

Improve stress testing

Several players are integrating interest rate risk, credit spread risk, liquidity risk, and funding concentration risk in both regulatory and internal stress tests. Indeed, the IRRBB, liquidity risk, and market risk (credit spread risk in the banking book, or CSRBB) highlight the trade-off between capital and liquidity regulations. In short, higher capital requirements may reduce the need for excessive liquidity, and vice versa, for a bank with stable funding—a situation that remains a challenge to current regulatory frameworks.

Stress testing to measure interest rate risk is also evolving, with some banks adopting reverse stress testing (see sidebar “Enhancing Basel's interest rate risk measures: Exploring the efficacy of reverse stress testing and VAR”).

Enhancing Basel’s interest rate risk measures: Exploring the efficacy of reverse stress testing and VAR

Research conducted by a group of bank risk managers suggests that the current supervisory outlier tests for interest rate risk in the banking book (IRRBB) may not adequately address all significant risk scenarios. Specifically, the scenarios outlined in the BCBS 368 guidelines for stress-testing economic value of equity (EVE) and net interest income (NII) may fall short in identifying substantial IRRBB risks. This oversight could make it more difficult for banks to recognize material risks of loss, especially if they have complex or unconventional portfolios.

To identify more material risks, experts are recommending a shift in approach. Instead of focusing solely on extreme and plausible scenarios, they are advised to consider all possible scenarios and integrate reverse stress testing. This would involve simulating thousands of historical and hypothetical scenarios, covering almost the entire spectrum of possible yield curves. After computing NII and EVE, attention would be directed to the scenarios that could have the most adverse impact on the bank’s balance sheet.

In alignment with this proposed methodology, Australian banks will be mandated from 2025 to calculate IRRBB capital using measures of expected shortfall rather than value at risk (VAR). The change is intended to incorporate tail risk, with the new methodology utilizing data from the past seven years, coupled with a distinct one-year stress period.

In upgrading their stress-testing frameworks and interest rate strategies, banks need to balance net interest income (NII) and economic value of equity (EVE) risks that may materialize as a function of rate volatility. On NII, banks can productively apply scenario-based yield curve analysis across regulatory, market, and bank-specific variables and weigh these in the context of overall balance sheet exposures, hedges, and factors including deposits, prepayments, and committed credit lines. Additional economic risks include basis risk, option risk, and credit spread risk, which also should be measured.

Tailor planning

Bank funding plans are often generic, periodic, and spread across different frameworks and methodologies, including funding plans, capital plans, internal capital adequacy assessment processes (ICAAP), and internal liquidity adequacy assessment processes (ILAAP). They are often designed for a range of purposes and audiences and updated only when prompted by regulatory requirements. In future, banks will need dynamic, diversified, and granular funding plans—for example, tailored to products and regions. The plans should reflect flexible and contingent funding sources, central bank policies, and the trade-off between risks and costs.

Embrace dynamic hedging strategies

In the era of low rates, hedging of interest rate risk was a less prominent activity. Banks often employed simple, static, short-term, or isolated strategies, mostly aimed at protecting P&L. Few banks paid a great deal of attention to collateral management.

Now, in a more volatile rate environment, the potential for losses is much higher, suggesting banks need more sophisticated, agile, and frequent hedging to respond to shifts in interest rates, credit spreads, and customer deposit behaviors (Exhibit 3). Indeed, in 2023, the traded volume of euro-denominated interest rate derivatives increased by 3.4 times compared with 2020, according to the International Swaps and Derivatives Association. 3 “Interest rate derivatives US: Transaction data,” ISDA.

Hedging strategies are evolving to be dynamic, horizontally integrated across the organization, and wedded to risk appetite frameworks, so banks can balance P&L priorities and reductions in tail risk. On the ground, banks will likely need to recalibrate their strategies frequently, ideally leveraging a comprehensive scenario-based approach to reflect changes in the external environment. Many, for example, have already revisited hedging to reflect higher rates, but as rates fall, they will need to assess factors such as the impact of convexity on short positions. The objective of these exercises would ideally extend beyond risk mitigation to the optimization of NII (see sidebar “Replication and hedging: The upsides of NIM optimization”).

Replication and hedging: The upsides of NIM optimization

Broadly, banks may consider four approaches to replication and hedging, each of which offers benefits that will vary according to the bank’s unique asset base.

Static replication is a widely applied and robust approach that involves derivation and adjustment of cash flows from deposit volume models for deposit rate elasticity and pass-through rates. The remainder of cash flows are replicated with bonds, interest rate swaps, or loans. Future deposit growth can be incorporated if desired.

Dynamic hedging of present value of net interest margin (NIM) treats the deposit portfolio like a structured product. Banks calculate the present value of NIM arising from deposits, enabling derivation of present value sensitivity to changes in interest rates. The method supports dynamic hedging and can take into account negative convexity.

Static NIM optimization provides the recommended trade-off between granularity and sophistication on the one hand and usability on the other, and it is our preferred approach. It involves design of the fixed-income portfolio to replicate deposit balance dynamics over a sample period. The analyst then selects the portfolio yielding the most stable margin, represented by minimization of margin standard deviation of the spread between the portfolio return and deposit rate. The approach enables NIM maximization, with the caveat that shorter tenors tend to be preferred in periods of low benchmark rates.

Dynamic NIM optimization permits banks to model future interest rates with NIM and investment strategy optimized for a future horizon. Again, NIM can be maximized, but the approach requires assumptions on volume growth, and the optimization horizon may not extend to the full rate cycle.

A key principle of best-in-class hedging strategy is that a proactive, forward-looking approach tends to work best and will enable banks to hedge more points on the yield curve. And with forward-looking scenario analysis, they should be able to anticipate risks more effectively. Consider the case of a bank that was exposed to falling interest rates and did not meet the regulatory threshold for outliers under the new IRRBB rules for changes in NII. Through analysis of potential client migrations to other products and a push to help clients make those transfers, combined with a new multi-billion-dollar derivative hedging strategy, the bank brought itself within the threshold.

Banks should not view hedging as a stand-alone activity but rather as integrated with risk management, backed by investment in talent and education to ensure teams choose the right hedges for the right situation. These may be traditional interest rate derivatives but equally could be options or swaptions to bring more flexibility to the hedging strategy. AI will be table stakes to support decision making and identify risks before they materialize. A more automated approach to data analytics will likely be required. And collateral management should be a core element of hedging frameworks, with analytics employed to forecast collateral valuations and needs, optimize liquidity reserves, and mitigate margin call risk.

Next steps: Making change happen

To effectively implement change across the activities highlighted here, best practice would be to bring together modeling capabilities under a dedicated data strategy. The target state should be comprehensive capabilities, a unified and actionable scenario-based framework, and routine use of AI techniques and behavioral data for decisions around pricing and collateral. Most likely, a talent strategy also will be required to support capability building across analytics, trading, finance, pricing, and risk management.

Banks must marshal a broad range of market data to support effective modeling. The data will include all credit lines, including both on–balance sheet and off–balance sheet items, deposit lines, fixed-income assets and liabilities, capital items, and other items on the banking book. Ideally, banks would assemble 15 to 20 years of data, which would take in the previous period of rising interest rates from 2004 to 2007. Alongside these basic resources, banks need information on historical residual balances, amortization plans, optionality, currencies, indexing, counterparty information, behavioral insights, and a full set of macro data. Some cutting-edge models incorporate about 150 different features.

Armed with comprehensive data, banks can build behavioral models (for example, prepayments, deposits) to estimate parameters and infer behavioral effects in different scenarios. They can then integrate behavioral outputs into stress-testing simulations, alongside expert-based insights. Once macroeconomic data has been inputted, banks should be able to compute delta NII and EVE for three years. Visualization tools and hedging replica analysis can help teams clarify their insights and test their hedging strategies across risk factors.

Banks that have embraced the levers discussed here have set themselves on a course to more proactive and effective interest rate risk management. Through a sharper focus on high-quality data and the use of AI and scenario-based frameworks, banks have shown they can make better decisions, upgrade their hedging capabilities, optimize the cost of funding, and ensure they stay within regulatory thresholds. In short, they will be equipped to respond faster and more flexibly as interest rates enter a new era of volatility.

Andreas Bohn is a partner in McKinsey’s Frankfurt office, Sebastian Schneider is a senior partner in the Munich office, Enrique Briega is a knowledge expert in the Madrid office, and Mario Nargi is an associate partner in the Milan office.

The authors wish to thank Gonzalo Oliveira and Stefano Terra for their contributions to this article.

Explore a career with us

Related articles.

The changing landscape for banks

Global Banking Annual Review 2023: The Great Banking Transition

Forward Thinking on the rollercoaster of central banking with Hans-Helmut Kotz

• Previous Article

Based on technical assistance to central banks by the IMF’s Monetary and Capital Markets Department and Information Technology Department, this paper examines fintech and the related area of cybersecurity from the perspective of central bank risk management. The paper draws on findings from the IMF Article IV Database, selected FSAP and country cases, and gives examples of central bank risks related to fintech and cybersecurity. The paper highlights that fintech- and cybersecurity-related risks for central banks should be addressed by operationalizing sound internal risk management by establishing and strengthening an integrated risk management approach throughout the organization, including a dedicated risk management unit, ongoing sensitizing and training of Board members and staff, clear reporting lines, assessing cyber resilience and security posture, and tying risk management into strategic planning.. Given the fast-evolving nature of such risks, central banks could make use of timely and regular inputs from external experts.

• I. Introduction

Effective risk management of central banks is imperative for managing a wide variety of increasing financial and nonfinancial risks. Central banks 1 across the globe have undergone an expansion of the risks that they run. This includes financial risks resulting from policy decisions, especially those in unconventional times, including during the COVID-19 pandemic—varying from asset purchase operations that have significantly expanded the balance sheets of central banks in, for instance, the United States, the United Kingdom, the European Union, and Japan, to central banks actively pursuing more aggressive, yield-increasing asset management strategies due to the low interest environment.

However, in addition to financial risks, central banks also run nonfinancial risks. These include strategy and policy risks, operational risks, and reputational risk in general. These risks can hold significant financial consequences for central banks. This has spurred an increasing number of central banks to try and quantify operational risks in particular.

However, nonfinancial risk management of central banks has traditionally not received as much attention as financial risks and their management. In an earlier IMF Working Paper, 2 we ascribed this to the fact that central banks’ mandates, objectives, and functions were more limited before the Global Financial Crisis (GFC), but that with the advent of the GFC those mandates got expanded further into areas beyond price stability.

Several developments over the past years have even further increased that awareness of nonfinancial risks for the central bank. The focus on topics such as climate change, economic development/employment, financial inclusion, and fintech, have led to central banks becoming public super-institutions—seemingly capable of solving most of a country’s economic and financial problems. Clearly, this has also led to central banks moving into areas that might be in the realm of the fiscal authorities—with significant consequences for central bank nonfinancial risks related to those newer areas as well.

This paper focuses on central bank nonfinancial risks specifically related to the surge of technological innovations dubbed “fintech,” including the related area of cybersecurity, and how fintech and cybersecurity strengthen the need for enhanced central bank risk management. Central banks need to carefully consider this interplay between the possible upsides of fintech, and the guaranteed downsides of cyber risks, when trying to achieve their (often multiple) objectives .

The paper draws on:

1) Findings from nine (9) central bank technical assistance (TA) cases 3 from the IMF’s Monetary and Capital Markets Department (MCM, Central Bank Operations Division) and Information Technology Department (ITD, Digital Advisory Unit); and four (4) country cases (Indonesia, Luxembourg, Sierra Leone, and Ukraine);

2) Informal interactions on fintech with heads of risk management departments of several central bank members of the International Operational Risk Working Group (IORWG);

3) Participation in the EU’s Fintech Risk Management Project; 4 and

4) Findings from the IMF’s Article IV (AIV) database and from selected Financial Sector Assessment Programs (FSAP).

Section II will provide a definition and overview of “fintech” and related developments relevant for central bank risk management. Next, Section III will examine to what extent IMF technical assistance by MCM Central Bank Operations and ITD/Digital Advisory, as well as IMF surveillance has covered possible links between central bank risk management, fintech, and cybersecurity. Building on this, Section IV analyzes in more detail how specific fintech developments affect central bank risk management (focusing on strategy and policy risk, as well as operational risk). Finally, Section V draws conclusions and recommendations for central banks to consider.

Appendix I lists relevant risk management details of the Bali Fintech Agenda (BFA); Appendix II provides several country case examples.

• II. Fintech—Definition, Principles, and Risk Management

Fintech, in the definition of the Bali Fintech Agenda (BFA), relates to “the advances in technology that have the potential to transform the provision of financial services spurring the development of new business models, applications, processes, and products.” 5 Similarly, the Financial Stability Board (FSB) 6 defines fintech as “technologically enabled innovation in financial services that could result in new business models, applications, processes or products with an associated material effect on financial markets and institutions and the provision of financial services.” Both definitions cover the extensive use of data by (and technological advances to) financial services, and leverage the explosion of Big data on individuals and firms, advances in AI/ML, computing power, lowering capital cost, cryptography, distributed computing and the reach of the Internet. The strong complementarities among these technologies give rise to an array of new applications touching on services from payments to financing, asset management, insurance, and advice. This creates the possibility of entities driven by fintech emerging as competitive alternatives to traditional financial intermediaries, markets, and infrastructures. 7

Fintech-related technologies have broad effects on a range of financial services. Figure 1 below demonstrates how AI, Big data, Distributed Computing, cryptography, and mobile access internet influence financial services from payments, to saving and lending, risk management, and financial advice (the latter could include components of consumer protection and financial inclusion as well).

Major Technologies Transforming Financial Services

Citation: IMF Working Papers 2021, 105; 10.5089/9781513582344.001.A001

• Download Figure
• Download figure as PowerPoint slide

Risk management has been identified as relevant to fintech developments. The IMF/WB Bali Fintech Agenda (BFA) 8 highlights the necessity for central banks and supervisors to examine risk management components of fintech. BFA Principle IX (Ensure the Stability of Domestic Monetary and Financial Systems, see Appendix I) stresses that fintech “offers central banks the opportunity to explore new services, while having to consider new risks.” It focuses on policy aspects relating to Central Bank Digital Currencies (CBDC), payments systems, as well as financial stability aspects, including the lender of last resort-role of central banks.

The BFA includes a specific focus on risk management of fintech. Principle X (Develop Robust Financial and Data Infrastructure to Sustain Fintech Benefits, see Appendix I) stresses that “[e]ffective governance structures and risk-management processes are important to identify and manage risk associated with the use of fintech. The greater reliance on such technologies leads to new operational risks and more interdependencies among service providers… that may threaten the operational resilience of financial and data infrastructures.” This includes risks related to outsourcing, as Principle X refers to third-party service providers, and the fact that many of these providers “fall outside the regulatory perimeter,” which would require “increased emphasis on managing operational risks and ensuring robust outsourcing arrangements.” These risks may reach such significant levels that require the development of a specific vendor risk management framework.

Principles IX and X are focused on fintech-related risks for financial institutions. However, the risk management aspects of the principles hold for central banks to a large extent as well, as the next sections will explore.

III. The IMF’s Involvement with “Fintech” and Risk Management

The IMF has been involved with “fintech” over the past decades. Though the concept of “fintech” was not necessarily used as such, much of the IMF work in surveillance, policy development, and technical assistance relates to technological developments in and of the financial sector, including of central banks and their risk management. 9

IMF technical assistance (TA) covers all the areas that the IMF works on. As noted, this paper looks at TA provided by the IMF in the context of central bank operations (central bank risk management, governance, internal organization, and cash currency management) and digital advice (in particular, cybersecurity).

The paper also examines IMF surveillance findings. Surveillance involves the IMF monitoring risks to domestic and global stability. The Fund does so by means of consulting with its member states, which is often referred to as the Article IV (AIV) discussions. These discussions with country authorities focus on exchange rate issues, monetary, fiscal, and regulatory policies, as well as macro-critical structural reforms.

Lastly, the IMF also gauges stability and soundness of the financial sector and assesses the financial sector’s potential contribution to growth and development. The IMF does so by means of its Financial Sector Assessment Program (FSAP), of which selected findings are also presented in the paper

In these three modalities—TA, AIVs, FSAPs—attention for fintech and cybersecurity, and to a certain extent (central bank) risk management, is visible and made concrete, as the following subsections will highlight.

• A. Technical Assistance: Advice on Fintech in the Context of Risk Management

TA by MCM and ITD on fintech and central bank risk management has increased since the publication of the BFA. In the period 2018–2020, MCM (in several cases together with ITD) provided central bank risk management TA, as well as bilateral advice to and discussions with central banks in all regions of the world, with a distinct fintech focus.

As Figure 2 shows, most TA and informal interactions in the period 2018–2020 on fintech and central bank risk management took place with central banks in the European and Middle East and Central Asia regions, and on the topics of (1) central bank risk management in general (including Business Continuity Management, BCM), followed by (2) fintech organization (i.e., relating to the central bank’s internal organization of fintech-related activities, for instance, by considering the setting up of a dedicated fintech unit), (3) central bank cybersecurity, and, in two cases, (4) developments of digital payments in the context of central bank risk management and cash currency management. 10

Central Bank Risk Management, Fintech, and Cybersecurity

The main categories of questions raised by the respective central banks related to the following fintech components (see Figure 3 below):

Main Fintech Issues Discussed in the Context of IMF Risk Management TA

1) Risk Management: ensuring fintech risks that may affect the central bank are adequately covered by the central bank’s risk management department . In several cases, the central bank risk management departments were not fully aware of emerging fintech risks, for instance, related to cloud computing (see also Section IV (H))—even though risks related to the use of third-parties and outsourcing in general did exist (for instance, related to general procurement and use of service from third-parties). In another case, the risk management department arranged for a presentation by the central bank’s fintech department to the IMF TA mission and the risk management department itself. The presentation covered key domestic fintech developments among financial institutions. Subsequently, the discussion between the fintech department and the risk management department allowed for the risk managers to be further informed of key fintech developments, and be able to translate them into developments that might affect the central bank itself. In general, closer cooperation between the central bank’s (i) IT department, (ii) fintech department (where applicable), and (iii) financial supervision department (where applicable) proved to be beneficial, as often fintech-related knowledge was already available “in house,” but not necessarily available to the risk management department. This also included identifying cyber risks emerging from fintech developments and ensuring sufficiently strong central bank cyber resilience are in place/are being developed.

Several TA missions also focused on details of central bank security posture, and whether the involvement of third-party vendors would be sound from a central bank risk management perspective. Experiences from other central banks were shared, including on how to set up a central bank Security Operation Center (SOC), 11 conduct cybersecurity assessments (including red, blue, and purple teaming exercises) mainly to examine the SOC’s effectiveness, and provide assurance to central bank decision-makers on cybersecurity arrangements.

2) Decision-making: ensuring the central bank’s decision-makers (i.e., senior management and Board) are adequately aware of fintech opportunities and risks in their jurisdiction and are aware of how these developments could feed into the central bank’s strategic planning process and its internal risk management. In most cases, the central bank’s key decision-makers (i.e., members of the decision-making body/bodies, such as the governor, deputy governors, and nonexecutive Board members—where applicable) were not fully informed of, or up to date on relevant fintech and cybersecurity developments and how these could affect the central bank’s risks (or provide opportunities), and no discussions had taken place in the context of the central bank’s risk appetite. Often this turned out to be a more systemic central bank governance issue, as in three cases the decision-making body was not at full strength, with in particular nonexecutive Board members’ position not yet being filled—even though especially nonexecutive Board members would have a key role to play in identifying strategic developments, including those relating to fintech, cybersecurity, and the role of and effect on the central bank. Additionally, some of these cases also highlighted internal silos, with a fintech department reporting to one specific decision-maker, and risk management reporting to another, without proper information-sharing arrangements.

3) Internal Organization: facilitating internal central bank discussions on whether there is a need and necessity to have a fintech unit , roles and responsibilities of such a unit, and place within the internal organization. In three cases, the central bank requested IMF advice on how to set up a fintech department, without it necessarily being clear what such an organizational unit would focus on. In most cases, the fintech department aimed at contributing to financial supervision by identifying fintech developments among financial institutions, examining licensing requirements—including in the context of a regulatory sandbox. In one other case, the fintech department was specifically set-up to contribute to financial inclusion, highlighting less of a focus on upholding prudential requirements, and more on deepening the financial market.

Other internal organization issues the respective TA missions provided support on, related to ensuring central bank staff (in particular financial supervisors, IT staff, risk management staff) had a proper understanding of relevant fintech developments, and were able to update their knowledge and expertise on a regular basis – in the case of one central bank, it moved to having regular, open meetings with fintech companies at the central bank’s premises, allowing them to showcase their products and services, facilitating interaction with central bank staff, and thereby enhancing the central bank’s staff’s understanding of relevant fintech developments. Cooperation with other involved agencies and donors, including the United Nations and the World Bank, proved to be helpful as well, with fintech experts from their sides providing training to central bank staff in specific fintech areas.

4) Cash Currency Management: discussions on the interaction between cash currency management and related risks, and the development of digital payments . In few cases, the risk management department and the currency department raised concerns about moving towards a more cashless society, and/or the increased practical use of digital payments. In one case this related to the use of SIM chips and money stored on those SIM chips, including questions on which agencies would be responsible for overseeing the respective telephone operators. In another case, the central bank presented its case on a (CBDC and how it had identified opportunities as well as risks for the central bank itself. In another example, the central bank was exploring the possibility of issuing a CBDC, and the IMF highlighted a number of operational issues and gaps within the central bank’s cyber resilience program to improve internal processes, technologies and skillset needed to maintain a high-level of assurance of their standing infrastructure, and to include the newly introduced CBDC ecosystem as well. One of the issues highlighted, which was raised by the central bank internal security team, was the lack of a SOC within the central bank to monitor their infrastructure and systems, capable of instantly responding to any threat or incident. Running a SOC capable of monitoring and responding 24/7/365 days to any security issue is fundamental to fintech services specially with more widely accessible systems such as CBDC in comparison to closed traditional payment systems with selective participants (usually commercial banks and credit unions). This is under the assumption that the central bank is maintaining the backend core-system.

Practical examples of IMF TA recommendations on central bank risk management and how fintech and cybersecurity (should) tie into risk management are provided below. Tables 1 and 2 below provide anonymized examples of recommendations from the IMF in two recent MCM TA missions.

Example: IMF TA Recommendations on Central Bank Risk Management, Fintech, and Cybersecurity

Example: IMF TA Recommendations on Central Bank Strategic Planning, Risk Management and Cybersecurity

The COVID-19 pandemic has exacerbated possible fintech and cybersecurity risks for central banks even further . Two IMF COVID-19 Special Series Notes 12 highlight specific risk management issues that central banks (could) face in trying to deal with the pandemic and its consequences; another Note highlights the general cybersecurity risks related to working-from-home arrangements. IMF staff recommends that a clear risk management framework (including BCM) is the first and foremost prerequisite for central banks trying to deal with risks related to COVID-19, with a specific focus on nonfinancial risks. Also, “[c]entral banks will need to make adequate preparations prior to return to work (…). This includes maintaining the existing flexible business continuity and risk mitigation arrangements, as well as raising the level of health and safety measures for an extended period of time.” Table 3 below provides an overview of the possible COVID-19 risk management measures that central banks could explore, or are already exploring, based on informal discussions with Heads of Risk Management Departments from selected central banks.

Example: Overview of Possible COVID-19 Central Bank Risk Management Measures

• B. IMF AIV: Fintech, Cybersecurity, and Risk Management References

When examining the IMF’s Article IV (AIV) database, 1,095 unique hits 13 can be found relating to “technology,” spanning the period from 1978 until 2017.

Figure 4 below highlights the number of references per year for different time periods. Clearly, there has been a significant increase in AIV references to technology-related issues in/of the financial sector over the past years, with the period after 2011 showing the bulk of attention for technology-related issues in AIVs.

IMF Article IV References to “Technology” (per time period, average per year, 1978–2017)

Figure 5 zooms in on fintech discussions in the one-year period between January 2018 and February 2019—where the majority of fintech issues which are classified as “substantive discussions,” followed by the more generic acknowledgement of fintech in the AIV (without further substantive discussion).

IMF Surveillance and Fintech

The geographical attention for technology-related issues between 1978–2017 is predominantly centered on the African and European regions ( Figure 7 ); in the period January 2018–February 2019 this moved to Asia Pacific and (to a lesser extent) Western Hemisphere ( Figure 5 ). This significantly increased attention coincides with the increase in general attention for “fintech,” as Figure 6 demonstrates (Google search for “fintech”).

Google Search Interest for “Fintech” (2004–2019)

IMF Article IV References to “Technology” (per geographical region)

It should be noted that “finance and technology” references in the context of AIVs are understandably broader than the current scope of “fintech.” The AIV references to finance and technology, as well as cybersecurity, often relate to different sets of findings, such as:

a) General investment/foreign direct investment (FDI) policies;

b) Agricultural technology (including drilling and mining), and other application areas of technology (including space technology); and

c) Fiscal technology (i.e., to improve fiscal operations, including tax revenue collection).

However, within the search results of “finance and technology,” several subsets of areas of interest can be identified that could relate to central bank risk management as well, including:

a) Information (and communication) technology : references include the building of IT capacity at central banks and Y2K-related risks, which would come closest to the current concept of fintech;

b) Financial inclusion technology , which aligns with one of the key goals of fintech often mentioned by central banks—see below;

c) Digital development strategies : this includes government-wide strategies, as well as the building of technology hubs (in particular, around the turn of the century), which is similar to jurisdictions like Singapore, UAE, and Hong Kong SAR positioning themselves as fintech hubs and fintech innovation centers.

d) Telecommunications development ;

e) In occasional cases, explicit references to “ fintech ” can already be found. In the case of one European country reference is made to “regtech” avant la lettre (2001), as is the case for “fintech” in another European country (2016); and

f) Cybersecurity : out of the 1,095 AIV search hits on technology, only three AIVs could be found with explicit references to cybersecurity. These AIVs all took place after 2015, and generally highlight the role of the authorities in bolstering resilience to cyber-attacks (with one explicit reference to the Bangladesh Bank cyber heist), including in commercial banks.

The IMF 14 notes that the most recent AIV cases where fintech was discussed, relate to links between digital payments and financial inclusion (for instance, Cambodia, Peru, and Tuvalu), as well as “setting up appropriate frameworks and safeguards to develop crypto-assets, including digital currencies projects in small states (the Republic of Marshall Islands (RMI) and Curacao and Sint Maarten).” Additionally, fintech has been brought up in the AIV context regarding China’s fintech industry, and development of financial centers into so-called fintech hubs (such as Hong Kong SAR and Singapore).

On a side note, the links between finance and technology and climate change (risks) should also be noted. In several AIV cases, the links with climate change and the role of the financial sector are made explicit, highlighting how several of the IMF’s overarching policy areas and the accompanying macro-financial risks, are closely related. Examples include considerations on the introduction of low-carbon technologies and noting how the presence of only rudimentary technology has created vulnerabilities to climate change-related issues.

Specific risk management references in the context of “fintech” cover various areas. Most references 15 in the IMF’s AIV database relate to risk management in the context of operational risk for financial sector oversight, that is, in the context of financial supervision. Often, concerns are raised regarding outsourcing of specific activities by financial institutions, and whether third-party risk is managed properly. In those cases where outsourcing aspects of governmental services (including the outsourcing of supervisory functions, and the development of “e-government”) are identified, risk concerns are not often noted explicitly, or possibly overlooked. Instead, the upsides of cost-efficiency and higher operational efficiency are more predominant. There is some specific attention for risks of the central bank, especially in cases related to IT, as well as operational risks related to Financial Market Infrastructures (FMIs) and setting up and maintaining infrastructure for RTGS systems.

Central bank-related cybersecurity risks have emerged only more recently. Several AIV cases, predominantly after 2015, refer to “cyber” issues. This relates to initiatives to reinforce central bank cyber-security, especially after the Bangladesh Bank’s “cyber-heist” in February 2016—which is referred to in a couple of cases.

Concludingly, IMF attention for fintech will likely only continue to increase in its areas of surveillance, affecting most of the Fund’s membership. Earlier references in AIVs to finance and technology highlight that IMF staff are aware of opportunities and risks that countries— their central banks, supervisors, and other public agencies—might run because of technological developments. Attention has been given predominantly to IT, financial inclusion technology, digital development strategies, telecommunications development, and some initial “fintech” activities. The Fund stresses this increased attention by highlighting that further “advances in AI, digital identification and cybersecurity are enabling new models for managing risk for individuals, financial institutions, and regulators.” 16 Substantive discussions on fintech in AIVs are increasingly common, and authorities would do well to prepare for these discussions accordingly.

• C. IMF FSAP

Attention for the links between risk management, fintech, and cybersecurity in IMF FSAPs is also increasing.

The Switzerland FSAP 17 stresses that “[r]isks in the rapidly growing fintech space may not be well understood due to data gaps, resource constraints, and the authorities’ liberal approach.” It recommends that the Swiss authorities, including the central bank and the financial supervisor, address data collection, analytical capacity, and resources for dealing with fintech-related challenges. This on its turn “should also inform development of fintech-related policies and legislation.”

The FSAP on Singapore 18 noted that “fintech developments hold the promise of having a far-reaching impact on the Singaporean financial services sector, bringing both opportunities and new risks,” for clients, financial institutions, and the financial system as a whole. This could include questions relating to (the applicability of) regulation and the absence of internationally agreed standards, forcing the authorities to “ensure an appropriate balance between opportunities and risks.” Though the FSAP mainly talks about financial institutions , its statement that “uncertainty surrounding technology” might pose challenges, could likely extend to the central bank (the Monetary Authority of Singapore) as well. Even more so as the main fintech risks are noted as operational and technology-related risks: “Execution risks to implement new strategies and manage business and technology risks are increasingly top risk priorities. Yet a complicating factor are banks’ legacy systems with older, slower, and less agile systems increasing banks’ inherent risk profile. Additionally, an increasing use and reliance on third-party service providers is evident in the sector” (underlining added). This would, as we have noted already, arguably also apply to central banks, in particular those that have not sufficiently invested in their internal organization, systems, and processes (though it should be stressed that this was not explicitly noted in the Singapore FSAP). Lastly, and importantly, the FSAP also notes that operating a fintech sandbox is not without risk to the central bank: “[t]he potential for reputational risk from the regulatory sandbox needs to be monitored. The sandbox is new, and [the Monetary Authority of Singapore] noted its benefits of facilitating innovation in a controlled environment. The main challenge is to strike a balance between the benefits of fintech firms experimenting in a live environment while mitigating potential downside risks.”

In the case of the FSAP on Canada 19 , IMF staff noted that Canadian authorities were proactive in monitoring fintech developments, including through fintech research which was helpfully conducted to assess the impact on the financial system and the Bank of Canada’s core functions. The Canadian Department of Finance, additionally, worked on setting up a new retail payments oversight framework, and examine the possibilities of open banking. Lastly, a so-called “Heads of Agencies Crypto-Asset Working Group was established to coordinate efforts in monitoring developments in crypto-assets with the aim of developing a consistent and clear domestic regulatory framework.”

Most recently, in the FSAP on Korea , 20 it was noted that “even within an already highly technologically advanced, efficient, and inclusive financial sector, significant benefits can still be reaped from innovation in financial services.” However, “new risks could arise in time, such as increasing interconnectedness and complexity in the financial sector, the introduction of greater operational risk, and negative impact on the profitability of incumbent banks.”

Figure 8 below provides a schematic overview of the attention for fintech in the selected FSAPs mentioned above, and the specific attention for risks and risk management-related areas.

Selected IMF FSAP References to Fintech

The relevance of IMF attention for finance and technology in AIVs and FSAPs will incentivize further awareness among central banks to ensure adequate understanding and identification of fintech-related risks that they themselves run. Legacy (IT) systems, the involvement of third parties (for instance, in the context of cloud computing—see Section IV. H and Box 2 ), and already identified nonfinancial risks (operational and reputational, in addition to legal risk), and the need to ensure sufficient resources (which on its turn requires proper strategic planning by the central bank) are key themes.

IV. Fintech and Central Bank Risk Management—Examples

Given the definition of fintech (Section II), and the emerging of attention for fintech in TA, AIVs, and FSAPs (Section III), it is important to examine in more detail how fintech developments could possibly affect a central bank’s risks and its risk management, by means of examples.

Fintech can hold policy risks related to several core central bank functions. Given the wide range of technologies flagged in Figure 1 above, fintech will likely affect central bank functions such as monetary policy, payments systems regulation, operations, and oversight, financial supervision (and other financial stability functions: macro prudential oversight, resolution, ELA/LOLR), cash currency management, and reserve management, as well as central bank functions in the areas of financial integrity and financial inclusion.

Figure 9 below provides an overview of central bank risks: strategy and policy risk (that are inherently the result of the central bank’s overall strategy and its policies), financial risk (as a result of financial operations), and operational risk (based on wide variety of risk categories, including IT infrastructure, cybersecurity, outsourcing, governance, and processes). Tying these together is reputational risk —a risk category that results from one or more of the other risks materializing. The subsections below will delve deeper into (i) policy risk emanating from selected central bank functions, as well as (ii) operational risk emanating from the central bank’s internal organization, to highlight how fintech and cybersecurity developments might offer opportunities to a central bank, but simultaneously also introduce or exacerbate existing central bank nonfinancial risks. This, on its turn, highlights the continued need for stronger central bank risk management, in particular as many of the highlighted risks overlap: central banks, therefore, should ensure an integrated fintech and cybersecurity analysis, including through the lens of central bank risk management.

Central Bank Risk Landscape

• A. Monetary Policy & Operations

Various IMF staff have identified fintech-related opportunities in the realm of monetary policy and monetary policy operations—with a particular focus CBDC. 21 This includes effects to increase the effectiveness of monetary policy transmission, increase seigniorage income for central banks, facilitate cross-border payments, 22 and—in the case of a wholesale CBDC—facilitate wholesale payments or improve the effectiveness of existing Real Time Gross Settlement Systems (RTGS). Some IMF staff have also explored whether a CBDC could be designed with attributes like cash or deposits, and whether they could be interest-bearing. 23

Most authors note that CBDCs carry a form of risk to the central bank as well, in addition to benefits. For digital money across borders, for instance, the IMF finds that foreign CBDCs, as well as Global Stable Coins (GSC) could “raise pressures for currency substitution and worsen vulnerabilities from currency mismatches. They could reduce the ability of local authorities to run monetary policy. [And] they could facilitate illicit flows and make it harder for regulatory authorities to enforce exchange restrictions and capital flow management measures.” 24 All of these issues are clearly contingent on the design of the CBDC, and the literature is very much in development.

Other relevant monetary policy aspects include broader issues relating to access to central bank money and its risk implication. That is, the provision of credit facilities, collateral and prefunding arrangements, and operational risk considerations. Central bank examples include, for example, the Bank of England’s access provision to TransferWise, as well as access to the non-bank switching company in the Australian National Payment Platform.

Distributed Ledger Technology Experiments in Payments and Settlements

Distributed Ledger Technology (DLT) is a possible platform for enhancing payment systems by integrating and reconciliating settlement accounts and ledgers. Various central banks have conducted DLT research (and experiments with large-value interbank payments) to examine benefits, risks, limitations, and implementation challenges of DLT in the context of payments and settlements. This includes Brazil. Canada, the Euro area/Japan, Singapore, South Africa, and Thailand. Some central banks and private sector participants have also examined DLT for cross-border payments.

Key risks of DLT, and other technologies, for payments and settlements include liquidity, credit, transaction delay, settlement finality, counterparty, and operational risks. The latter category includes cyber risk incidents. Even though these operational risks are not different from the standard computerized processing, it is the faster (real-time) environment that requires “very fast and highly automated error-handling processes to limit the volume of transactions affected by operational errors.” This, on its turn, “calls for improved monitoring systems and error-correction solutions.” Additionally, cyberattacks could “compromise data confidentiality, service availability, and systems integrity (…) [and] also affect established settlement finality rules and recovery time objectives.”

The potential benefits of DLT therefore require careful consideration from a (central bank) risk management perspective.

• B. Financial Market Infrastructures

FMIs 25 play an important role in a country’s financial system at large. The 2012 Committee on Payments Market Infrastructures 26 Principles for Financial Markets Infrastructures (PFMI) were drafted precisely to help identify and mitigate risks related to this systemic nature of FMIs. FMIs “facilitate the clearing, settlement, and recording of monetary and other financial transactions [which] can strengthen the markets they serve and play a critical role in fostering financial stability.” Given this role, they could also “pose significant risks to the financial system and be a potential source of contagion, particularly in periods of market stress.” 27

Payments systems operations and oversight are closely linked to fintech developments. The use and operation of (real-time) settlement systems 28 are examined by several central banks from the viewpoint of increasing effectiveness, and/or security by applying distributed ledger technology (see Box 1 ). Not surprisingly, the Reserve Bank of India (RBI) recently indicated that payment and settlement systems are “technology-based substitutes for currency,” tying fintech developments in this area unequivocally to not only its FMI, but to its currency management and monetary policy functions. 29

The PFMI offer existing guidance on how to deal with fintech-related operational risks. Principle 17 expands on this and puts the key responsibility with the board of directors for defining operational risk (both roles and responsibilities, as well as endorsing the framework). It goes on to specify details on business continuity plans, policies relating to physical and information security, as well as outsourcing risks, and how monitoring should ideally take place. The PMFI highlight similarity with commercial risk management practices, stressing that commercial standards on information security, business continuity, and project management can be helpful for FMIs.

As an example, the RBI stresses in its recently updated Booklet on Payment Systems 30 regarding its FMI oversight framework that the payment landscape “has experienced extensive leveraging of advanced technology in facilitating processing of payment transactions by the PSOs [Payment Systems Operators] as well as their service providers/intermediaries/third party vendors and other entities in the payment ecosystem. On the other hand, the number, frequency and impact of cyber incidents/attacks have increased manifold.”

• C. Reserve Management

As per the IMF definition, 31 central banks’ reserve management relates to ensuring that there are adequate official public sector foreign assets. These need to be readily available to, and controlled by, the authorities for meeting their (pre-defined) objectives. Reserve management is clearly a central bank activity related to core policy decisions. 32 The buying, selling, and managing of the central bank’s foreign assets entail risk; not just financial, but also nonfinancial. “Reserve management should seek to ensure that (1) adequate foreign exchange reserves are available for meeting a defined range of objectives; (2) liquidity, market, credit, legal, settlement, custodial, and operational risks are controlled in a prudent manner; and (3) subject to liquidity and other risk constraints, reasonable risk-adjusted returns are generated over the medium to long term on the funds invested.” 33 (underlining added)

To contain/mitigate reserve management’s operational risks, proper internal governance arrangements are essential. The IMF Guidelines highlight, for instance, the need to “be guided by the principles of clear allocation and separation of responsibilities and accountabilities.” The central bank is advised to have “appropriate hierarchical levels”, a “committee structure”, and a clear separation/independence of the investment side from the risk control/management side to avoid improper incentives. Reserve management also requires checks and balances in the form of internal audits and well-trained staff. Most indicative of the operational risk effects that reserve management activities can have, is the statement that “it is important to identify the level of authority that would reconcile inconsistencies or interferences between reserve management activities and other central bank functions. Unwanted signaling effects from reserve management operations should be avoided.” 34

The IMF Guidelines on FX Reserve Management present 35 several clear examples of operational risks related to reserve management:

a) Control system failure risks : There have been a few cases of outright fraud, money laundering, and theft of reserve assets that were made possible by weak or missing control procedures, inadequate skills, poor separation of duties, and collusion among reserve management staff members.

b) Financial error risk : Incorrect measurement of the net foreign currency position has exposed reserve management entities to large and unintended exchange rate risks and led to large losses when exchange rate changes have been adverse. This has also occurred when risk has been measured only by reference to the currency composition of reserves directly under management by the reserve management unit and has not included other foreign currency-denominated assets and liabilities on and off the reserve management entity’s balance sheet.

c) Financial misstatement risk : In measuring and reporting official foreign exchange reserves, some authorities have incorrectly included funds that have been lent to domestic banks or to foreign branches of domestic banks. Similarly, placements with a reserve management entity’s own foreign subsidiaries have also been incorrectly reported as reserve assets.

d) Loss of potential income : A failure to reinvest funds accumulating in clearing (nostro) accounts with foreign banks in a timely manner has given rise to the loss of significant amounts of potential revenue. This problem arises from inadequate procedures for monitoring and managing settlements and other cash flows and for reconciling statements from counterparts with internal records.

In all these examples, fintech could assist central banks to enhance their reserve management, for instance, by allowing machine learning applications to analyze financial patterns, identify possibly anomalies (such as related to fraud), and allow for enhanced data reporting to a central bank’s first and second lines of defense. The two most relevant fintech applications for asset management in general, as noted in a PWC study, 36 relate to (i) increased sophistication of data analytics to better identify and quantify risk, and (ii) automation of asset allocation. As such, PWC notes that “[m]achine learning technology is transforming risk management by enabling computers to identify patterns in market behavior and analyze transactions almost in real time.” It is not unimaginable that central bank reserve and asset managers would similarly benefit from fintech applications.

• D. Financial Inclusion

Financial inclusion implies that individuals and businesses have access to useful and affordable financial products and services that meet their needs, and that are delivered in a secure, responsible, and sustainable way. Central banks increasingly have specific roles on, and responsibilities for (stimulating and/or supporting) financial inclusion, as noted above.

Fintech carries significant direct gains for financial inclusion by contributing to increased financial sector efficiency. Fintech could (1) facilitate access to credit, insurance, and pension products, (2) lower costs of cross-border transfers (including worker remittances), (3) stimulate tailored investment products, and (4) strengthen financial literacy and education. Relevant technologies relate to mobile access, API and Internet, Big data and AI, DLT, and cryptography. Indirect fintech gains could be found, for instance, by using DLT payment systems to enhance real-time payments—which could eventually help customers of pay day lenders. Financial inclusion cases using fintech tools in one way or another can be found in different regions of the world. 37 Often, a combination of a high financial exclusion rate with a high cellphone penetration rate allows for leapfrogging in providing financial services to the unbanked and poorest parts of the population.

The IMF 38 (in the context of developments in Asia) stresses that fintech could support “growth and poverty reduction by strengthening financial development, inclusion, and efficiency,” supported by strong cellphone penetration in particular (see Zhang and Chen 39 for the case of China in particular). This would allow fintech applications in the areas of micro loans, as well as bookkeeping and accounting tools for Small- and Medium-Sized Enterprises.

Other central banks have indicated that they would want to enhance their decision-making on fintech and financial inclusion. The RBI, for instance, wants to “further deepen digital payments and enhance financial inclusion through FinTech… [by] appoint[ing] a five-member committee under the chairmanship of Shri Nandan Nilekani.” 40

Fintech could enhance financial inclusion by increased loan allocation, and lower rates—but also carries risks, including from a consumer protection perspective. See for instance Bazarbash, 41 who indicates that, in particular, fintech credit “has the potential to enhance financial inclusion and outperform traditional credit scoring by (1) leveraging nontraditional data sources to improve the assessment of the borrower’s track record; (2) appraising collateral value; (3) forecasting income prospects; and (4) predicting changes in general conditions.” This could lead to significantly shortened credit allocation times and lower loan rates.

However, he also stresses that overreliance on learning from data could lead to opposite effects: the exclusion of creditworthy applicants. Financial institutions and central banks should therefore be aware of these risks and address them accordingly—this holds even more for central banks that have an explicit legal mandate on financial inclusion or consumer protection. Berkmen, Beaton, e.a. 42 (for Latin America and the Caribbean) similarly indicate that regulatory frameworks and supervisory practices should “be adapted for orderly development and stability of the financial system, to facilitate the safe entry of new products, activities, and intermediaries and to respond to and prevent stability and integrity risks.”

E. Financial Supervision 43

Closely linked to what is noted above on financial inclusion, the potential effects of fintech on/for financial supervision are similarly substantial. On the one hand, supervised entities are increasingly employing a wide range of fintech tools to ensure more efficient and effective reporting to the supervisor and regulatory compliance in general (“regtech”). On the other hand, financial supervisors themselves are exploring possibilities of using fintech tools to enhance their means and methods of (risk-based) supervision as well (“suptech”).

Central banks and financial supervisors have started to recognize opportunities and risks that are linked to these developments. RBI stresses that early recognition of fintech risks and challenges is crucial. Not just to use fintech to the advantage of the supervisor (with RBI “suptech” examples such as their Import Data Processing and Monitoring System, Export Data Processing and Monitoring System, and the Central Repository of Information on Large Credits), but also to enhance the RBI’s risk-based supervision in general, with an even stronger basis in data-driven risk analytics, for instance. Risk management is crucial, as Governor Das noted: 44

A strong risk culture—in which risk detection, assessment and mitigation are part of the daily job of bank staff—will be central to the success of managing the emerging risks. Similarly, systemic risks may arise from unsustainable credit growth, increased inter-connectedness, procyclicality, development of new activities beyond the supervisory framework and financial risks manifested by lower profitability. Risks for FinTech products may also arise from cross border legal and regulatory issues. Data confidentiality and customer protection are major areas that also need to be addressed.

The Financial Stability Institute (FSI) 45 has identified opportunities and risks for financial supervisors. The suptech opportunities predominantly relate to data-collection, as well as subsequent data-analytics, with examples spanning real-time monitoring to early identification of insider trading. See Figure 10 below.

Areas of Financial Supervision in which Suptech Applications are Used

As far as suptech-related risks go, the list below is based on the eight noted FSI categories of challenges/risks for central banks that are also financial supervisors:

1) Technical risk : e.g., computational capacity constraints, as well as lack of transparency on how certain technologies work (this could include algorithmic governance issues). See also further on AI/ML.

2) Data quality risk : quality as well as completeness of data from non-traditional sources (such as social media) can create issues. Similarly, the size of data, for instance regarding equity and derivatives markets transactions, could pose a “too big to handle” issue for supervisors.

3) Legal risk : enhanced data collection could create additional legal risk, for instance, when data privacy (and legal obligations on data privacy) are violated.

4) Operational risk : “[h]eightened operational risks, including cyber-risk, were mentioned underscoring the need for improved risk management in supervisory agencies when using suptech applications.” This is specifically a concern for open source and third party and cloud applications: “[i]increased third-party risks related to cloud computing and algorithm providers can result when data is transmitted online or is handled by third parties. Data security issues may also arise in the context of supervisory reporting applications where the supervisors’ and the banks’ systems are interconnected… A robust risk management and control framework should therefore accompany the use of suptech.” In addition, common platform vulnerabilities or back-doors among these third parties or cloud providers may pose a difficult risk to manage due to its complexity and far reach. A recent example is the SolarWinds 46 , 47 security incident that impacted many large and reputable organizations including financial institutions 48 and even security service providers. 49

5) Reputational risk : false positives or false negatives because of an increased use of suptech could damage the supervisor’s reputation. Lacking transparency in “black-box algorithms” could similarly negatively affect the accountability of the supervisor (ref. Toronto Center, 2018), as well as damage their reputation and trust in general.

6) Resource risk : supervisors face additional constraints in finding staff that is sufficiently trained and experienced in dealing with fintech-related issues. Roles such as finding the right use-cases or researching and exploring the technical and financial risks associated with these emerging solutions.

7) Internal support system risk : based on the survey of the authors, supervisors can face issues with lacking or insufficient internal support from the supervisor’s management and/or Board. This could in part be due to a lack of understanding, as well as the need to incorporate fintech-related issues into the strategic planning cycle of the supervisor and prioritize accordingly.

8) Practical issues : examples are mentioned of procurement processes that could take long, which is another form of operational risks for the supervisor.

Fintech developments could also lead to (further) regulatory arbitrage. Lukonga 50 points out that gaps in domestic regulation and supervision could “create opportunities for cross-sector and cross-border regulatory arbitrage. Non-bank payment service providers, such as telecommunication and technology companies, do not immediately fit neatly into the jurisdiction of any specific regulatory authority, or there may be ambiguity as to which authority is responsible for the non-banks.” An additional issue of regulatory arbitrage could be sparked due to the (significant) cost of implementation of suptech. This might only be feasible for some market participants (such as bigtech/incumbent firms), limiting SMEs to implement suptech solutions. This, on its turn, could also lead to a separation in tech and non-tech supervision, creating an additional regulatory arbitrage environment.

As an example of fintech in the financial supervision context, the National Bank of Georgia (NBG)’s Financial Technology Strategy Department (FTSD) has identified a number of key fintech-related risks to the Georgian financial sector. In specific, it notes that the principle of risk-based supervision can be applied to fintech developments, leading to tailormade tools to emerge. The NBG’s approach is dubbed “OpenRegulation,” and consists of three main pillars: (i) GuidePoint, (ii) RegLab, and (iii) AgileLegal. All three pillars target fintech innovation and risks in a manner that allows the NBG as financial supervisor to keep track of new and emerging risks – see figure 11 below. This approach, subsequently, feeds into a process that allows the NBG to, as frequently as needed, update its regulatory database. This includes testing of new, updated rules in a regulatory sandbox environment before rolled out to the financial sector in general. See Figure 12 below. As noted in Section III. A above, information on these developments can helpfully tie into a central bank’s internal risk management, identifying possible policy and operational risks that the central bank might run.

National Bank of Georgia: Outline of OpenRegulation

National Bank of Georgia: OpenRegulation—Legal Updating Process Illustrated

F. Financial Integrity 51

Financial integrity is a high-level goal of the international community. It is a broad concept that covers measures to prevent and combat money laundering (ML), it predicate offences, terrorism financing (TF), and proliferation financing (PF), as well as measures that while may not be specifically covered by the Anti-Money Laundering and Combatting the Financing of Terrorism (AML/CFT) standard, are nonetheless indispensable to support an effective AML/CFT system. 52 These include, for example, measures aimed at preventing and combating specific predicate crimes, such as corruption and tax crime, as well as fostering good governance. Central banks have a responsibility to help ensure that a country’s financial sector is insulated from illicit flows and criminal activity. As such, financial integrity is an important aspect of several functions of central banks (supervisory, financial inclusions, and general financial sector oversight), the primary of which are discussed below.

While harboring many potential and actual benefits, fintech developments (especially in the realm of virtual assets (VAs) 53 and virtual asset service providers (VASPs)) raise new challenges for authorities, including central banks, and are accompanied by a number of risks (e.g., related to their frequently anonymous, or pseudonymous, nature. To address these risks, in 2018, the Financial Action Task Force (FATF) —the international standard setting body for AML/CFT—updated its standard to cover VAs and VASPs. 54 Countries are required to identify, assess, and understand the ML/TF emerging from VA and VASP activities in their jurisdiction. Based on that assessment, countries should, on a risk-basis, implement the necessary measures to prevent and mitigate the risks identified. The BFA, Principle VII, preempted these responsibilities, noting specifically that “countries should safeguard the integrity of financial systems by identifying, understanding, assessing, and mitigating the Fintech-related risks of criminal misuse and by using technologies that strengthen compliance with AML/CFT measures.”

For central banks, these developments will very likely have policy effects and related risks. As noted in subsection E (Financial Supervision), regulatory frameworks and supervisory practices will need to be adapted for the orderly development and stability of the financial system, to facilitate the safe entry of new products, activities, and intermediaries and to respond to and prevent stability and integrity risks. New financial intermediaries will impact financial sector oversight in terms of resource and capacity implications. The possibility of such new intermediaries becoming systemically important entities presents financial stability and integrity concerns as these non-traditional players may not be as equipped to handle financial integrity (and other) risks—thereby contributing to (significant) strategy and policy risk of the central bank. Additional legal and reputational risks could increase as well, for instance, when questions arise regarding the validity of the existing legal framework, and the speed and efficiency of, and communication surrounding relevant central bank actions.

In their supervisory role, central banks will need to ensure that they (i.e., decision-makers and staff alike) are up to speed with fintech developments that could affect financial integrity —examples include expertise with and knowledge of crypto-assets (and their attendant risks), as well as of regtech solutions that might be applied by supervised entities relating to (ongoing) client screening, transaction monitoring, supervisory data reporting, and advanced data-analytics on Big data, allowing for more enhanced and cost-effective anomalous pattern detection, including the identification of suspicious transactions. Such an understanding is even more critical for central banks who are the designated AML/CFT supervisor in a country. Pursuant to the standard, financial institutions and intermediaries (both existing and new) are also required to understand and mitigate risks associated with VAs—where a central bank is the designated supervisor, it would be responsible for ensuring that such obligations are met. On the other hand, fintech developments (in the form of suptech) can also assist central banks in the conduct of their supervisory activities (see subsection E). 55

Some central banks also house their country’s Financial Intelligence Unit (FIU). FIUs generally serve as a national center for the receipt and analysis of information relevant to ML, associated predicate offences, and TF/PF, in the form of suspicious transaction reports (STRs). FIUs are also responsible for analyzing the information received and disseminating the results of their analysis to the relevant law enforcement authorities. In this capacity, FIUs must be knowledgeable about and stay current on the different modalities, mechanisms, and schemes by which ML and TF occur. It is therefore important for FIUs to have an in-depth and up-to-date understanding of fintech developments, products, and services, to inform their analytical work. Fintech could greatly facilitate advanced data-analytics and could therefore be extremely useful to an FIU. However, as noted above with respect to the supervisory role of a central bank, such developments require a certain level of human capacity (in terms of knowledge, expertise, and experience).

The mentioned risks could also emerge from decisions made in the formulation of monetary policy. As noted in subsection A (Monetary Policy), CBDCs and GSCs are recognized as having financial integrity risks and, if not effectively regulated, could contribute to facilitating illicit financial flows. In its recent report to the G20, the FATF identified anonymity, global reach, and layering as being particular ML/TF vulnerabilities for GSCs. 56 The BIS has stated that to mitigate these risks, “providers of stablecoins and other entities that are part of a stablecoin ecosystem should comply with the highest international standards for AML/CFT”. 57 Where a central bank has an AML/CFT supervisory role, it would need to ensure that financial intermediaries and other service providers dealing with and/or administering stablecoins are following AML/CFT rules and regulations.

Depending on the specific model issued, the creation of a CBDC might also generate new functions and responsibilities for a central bank (such as holding customer accounts for retail CBDC). 58 These new functions may require that a central bank itself adheres to AML/CFT regulations when conducting its operations and may have larger implications on a country’s legal/regulatory framework (e.g., who to supervise the supervisor).

All the foregoing requires a central bank to seriously consider the impact of fintech developments on its functions and activities, as well as the activities of the financial sector and among entities it supervises.

• G. Cash Currency Management

Cash currency management is one of the oldest functions of central banks. It incorporates aspects related to design and security features of bank notes (and often coins as well), procurement and production issues, logistics (including storage, distribution, invalidation, and destruction), and aspects of modelling and forecasting cash currency demand—see Figure 10 below regarding the cash currency lifecycle and transfer of possession. Most countries have their own currency, and some countries use another country’s currency (referred to as “dollarization”, given the frequent use of the U.S. dollar, 59 though “euroization” is not uncommon either, 60 nor is the use of the Australian dollar) 61 .

Fintech-related policy risks for cash management relate predominantly to the possible use of CBDC. Numerous countries are currently exploring the possibilities of issuing a CBDC, either stand-alone, or in combination with cash—see Figure 13 below. Some countries are simply conducting basic research, others have conducted (and concluded) experiments. Policy risks related to the introduction of a CBDC could stem from a lack of understanding of effects CBDC may have on society, including how this will affect the monetary policy transmission mechanism (see also subsection A). Figure 13 could similarly be applied to the different phases of creation, issuance, distribution/circulation, and invalidation and destruction of CBDC—and the nonfinancial risks related to each of those phases.

Cash Currency and CBDC—Transfer of Possession

Countries Where Retail CBDC is Being Explored

Operational risks related to possession in particular could be similar for cash and CBDC: both cash and its digital equivalent need to be (1) forecasted (taking into account relevant economic data, including cyclical demand linked to, for instance, agricultural cycles, significant national holidays and other festivities, as well as reasonably predictable shocks, such as adverse weather or even natural disasters), (2) designed while taking into account optical designs (often reflecting symbols of national identity), as well as security aspects to prevent or significantly limit counterfeiting, (3) printed (or, in the case of a CBDC: entered into a database/created as a token), (4) put into circulation, and (5) possibly be invalidated and/or destroyed.

Lastly, a recent IMF Working Paper also highlighted the legal risk that a central bank might run in the case of considering a CBDC, as “[f]irst, most central bank laws do not currently authorize the issuance of CBDC to the general public. Second, from a monetary law perspective, it is not evident that “currency” status can be attributed to CBDC. While the central bank law issue can be solved through rather strai[g]thforward law reform, the monetary law issue poses fund[e]mental legal policy challenges. 62

In summary, though fintech carries opportunities for central banks, policy, strategy, and operational risks to the financial system and for central banks and financial supervisors themselves need to be addressed. As mentioned above, this holds for financial integrity, financial inclusion, as well as of course for financial supervision and other financial stability-related areas where fintech tools might be applied. Proportional regulation should ensure that potential risks associated with fintech are effectively monitored and addressed without unduly stifling innovation and undermining consumer protection and financial inclusion. Legal frameworks will need to adapt to keep pace with innovation and ensure proper calibration of new risks, legal certainty, predictability, and the balance between transparency and privacy. Financial integrity (including AML/CFT) requires specific attention, preventing fintech applications to circumvent or evade current controls, and the usage of new products to criminal ends. Operational risks linked to each of these policy areas could increase in likelihood and/or possible impact.

The next subsection will delve deeper into additional operational risks that central banks and financial supervisors might run due to fintech- and cybersecurity-related developments.

• H. Digital Risks and Central Bank Information Technology

With the advancement of digitalization in the financial industry, managing digital risks, especially cybersecurity, has become a key success factor for digital transformations of central banks. In fact, emerging solutions have introduced new forms of digital risks and concerns with used technologies, new acquired processes, and skills required to develop and maintain complex fintech systems. As a result, without proper rigor and management, digital risks may result in monetary losses, data leakages, and reputational risks, as mentioned above, for central banks and may even impact financial stability of their respective countries.

However, there is more to digital risks than meets the eye. Although crucial, cybersecurity risks are not the only digital risks threatening Fund members—including their central banks—and their financial systems. In addition to (1) cybersecurity risks, digital risks and negative impacts may relate to: (2) artificial intelligence (AI), (3) data and privacy, (4) digital exclusion, (5) market concentrations, (6) digital spillover, (7) inadequate legal, regulatory (including AML/CFT) frameworks, and finally the (8) negative environmental impact technologies may create. Major differences in design, infrastructure and used technologies for each country would result in different risks and impacts and would demand a custom digital risk management and priority plan to reap the benefits of the digital transformations. Digital solutions must account for the risks and impacts across technology, processes, people, and data (see Figure 15 ).

Digital Risks to IT Systems

IT infrastructural issues often go beyond the central bank’s sphere of influence. Lukonga 63 stresses that IT outages in general could create significant risks in “countries with unreliable provision of electricity and internet service. The growing trend to shift to digital modes of delivering financial services requires reliable electricity and internet. Unreliable electricity supply remains a significant problem in some countries (Egypt, Lebanon, the West Bank and Gaza, and Yemen), and this can lead to service disruptions as financial institutions rely more on Internet for service delivery.”

Similarly, outsourcing could pose operational risks. This relates to reliance on third parties for a central bank’s own IT infrastructure (as mentioned above), for instance in the form of private or public cloud computing (see Box 2 ). Additional legal risks could relate to (the lack of) clear arrangements and Service Level Agreements and the clear allocation of responsibilities to facilitate transparency and accountability. Lastly, it could include aspects of outsourcing of critical capacity and expertise on IT-related issues, such as dependency on external helpdesks, and software engineers as well. This holds for commercial institutions and central banks alike. 64 Some central banks have reportedly started setting-up private cloud services within the central bank community to decrease dependencies on third parties.

Fintech services are introducing new technologies to central banks’ infrastructure and their internal operations. In addition to the earlier provided overview of technologies, additional technologies and software such as open-source software, 65 heavy dependency on cloud computing, integration through Application Programming Interface (APIs), Artificial Intelligence/Machine Learning (AI/ML), blockchain/DLT 66 (including the concept of distributed and decentralized architecture and/or authority), Decentralized Finance (DeFi), 67 and Big data are among some of the technologies that will pose even more new risks to central banks. These services and technologies require specific operational techniques with deep technical understanding that needs to be reflected and integrated within the central bank’s risk management framework. Only by such an integrated approach can the central bank manage fintech-related risks, in line with its risk appetite.

Cloud Computing

Cloud computing can be defined as “off-premise, on-demand computing where the end-user is provided applications, computing resources, and services (including operating systems and infrastructure) by clouds service provider via the internet.” *

Clouds can be classified in four distinct types, based on where the location of the cloud is hosted:

1) Public cloud : the physical infrastructure is located at the third party’s premises. This implies that the user has no clarity regarding the location.

2) Private cloud : this is a cloud solution specifically designed for the user. Contrary to common belief, a private cloud does not need to be located at the user’s location, but it could also be hosted externally. In either case, the infrastructure is dedicated for the specific user only, and is not shared with other organizations.

3) Hybrid cloud : as the name suggests, this is a mix with private components (critical, secure applications that are hosted in a private cloud) and public components (hosted in a public cloud). This is linked to the solution of “cloud bursting”, which refers to an organization only using its own infrastructure for normal use, but allowing situations of excessive data use and/or storage to overflow to a public cloud.

4) Community cloud: where the cloud infrastructure is shared between two or more organizations in the same community. Some central banks are exploring the option of creating a private cloud between themselves.

Most cloud providers also offer three different models as follow:

1) Infrastructure as a service (IaaS) : the cloud provider offers their clients the computer resources such as the actual virtual servers, network devices and the storage. This service model requires more involvement of the client to manage their network and servers.

2) Platform as a service (PaaS) : the cloud provider offers a platform for their clients to develop and host their applications. This service model requires less client involvement since the cloud provider would manage the backend virtual servers and network.

3) Software as a service (SaaS) : the cloud provider offers the application to their clients and would manage the virtual servers and networks. This service model requires much less involvement and management from the clients since the cloud provider would manage the environment and develop and maintain the offered applications.

The major cloud providers world-wide are the so-called Big Four: AWS (Amazon), IBM, Microsoft, and Alphabet (Google), raising additional questions on the systemic nature of these providers, and whether more direct oversight would be warranted.

Fintech and Central Bank Operational Resilience

Cloud computing is an essential component for fintech services to flourish as it provides scalability, elasticity and has the potential to improve business continuity and reduce overall costs. In addition, cloud computing may reduce the operational risks for central banks struggling with on-premise development and maintenance of their own hardware, software, and infrastructure which comes with substantial operational burden and risk. However, leveraging and managing the cloud without careful planning and design security may complicate the central bank’s infrastructure and raise ambiguity around liability, security, privacy, and legal regulations on sensitive data, that may vary according to the geographical location. Box 2 shows, by means of example, the different types of cloud computing deployment models and related liability, responsibility, and operational techniques. This is forcing the security industry to shift the security mindset from “perimeter” to “data protection” instead. Central banks should strengthen the management of external dependencies as the pool of cloud-providers and vendors expands. As noted above, this is not different from operational risk related to other forms of outsourcing, with the difference that the central bank might have even more at stage—including its critical infrastructure. Cloud computing will, therefore, also demand more involvement among central bank stakeholders in the early stages of the solution design and requirement gathering with more emphases on threat modeling and early risk management specially by establishing a clear legal arrangement with third party (including cloud) providers that defines responsibilities distinctly in order to facilitate transparency and accountability. This also includes the appropriate means for the central bank to get frequent reassurance and audit attestation of the 3 rd party and cloud providers’ systems, procedures, and infrastructure. Finally, central banks need to equip themselves with the appropriate business continuity plans to address data portability and continuity of the central bank’s services.

Open banking leverages technologies, such as APIs, to enable micro financial services to increase market competition and overall resilience by alleviating the operational risks associated with large corporation’s single-point-of-failures or the “too big to fail” risks. However, open banking may exacerbate digital risks – in particular, financial sector cybersecurity at large. This goes against the fabric of financial institutions and central banks alike, and decades of centralized closed systems with strong and mature enclave security. Open banking services may suffer from attacks like brute-force 68 due to exposure, unauthorized access through excessive privileges, credential stuffing 69 , parameter manipulation 70 and data harvesting. 71 All these attacks may result in disclosure of sensitive (customer) data and fraudulent transactions. Rigorous assurance activities during Open banking development is needed, with stronger authentication schemes and a key role for risk management. 72 Though central banks might not necessarily be exposed to direct risks related to Open banking, it could exacerbate strategy and policy risks of the central bank, as noted earlier.

Big data 73 provides potential in many financial areas, such as real-time analysis and decision-based systems. However, Big data management, data transmission, access control, and the risk of coverage biases (due to inequality of the population representation), and data inaccuracy are challenging and may introduce digital risks to central banks if not designed, implemented, and maintained properly. For example, Big data databases can become a lucrative target for hackers given the vast amounts of data they hold. Unauthorized access may lead to large data leaks. Additionally, Big date software applications are relatively new, and some of it – until recently – lacked basic security features often required by relevant regulations. Lastly, the Big data industry is still struggling in general with balancing the security of metadata and high-demand data 74 with efficiency and usability.

Fintech technologies, such as cloud computing and Distributed Ledger Technologies (DLT, see further), rely heavily on open-source software and libraries . Open-source software can enable innovation in many areas including the financial sector. However, open-source requires a different mindset when it comes to the evaluation and maintenance of software, especially with the process of security patching (i.e., the process of continuously developing and applying updates to resolve vulnerabilities or errors in the software). The maturity level of open-source software relies on the adoption rate of the software in the industry. The more the open-source software is adopted, the more issues and vulnerabilities are likely to be fixed given the active communities. 75 Open-source projects are publicity discussed for updates and bug fixing; as a result, security vulnerabilities, with some projects, are published to public forums for verification and fix development. Detailed information of these security issues and steps of exploitation are publicly available. The time it takes to develop and publish these patches varies based on the open-source community and could pose a risk to central banks if the vulnerability is exposed and largely accessible during this period.

Distributed Ledger Technologies (DLT) are becoming an essential component for the modern Internet and fintech services. DLT provide, in some cases, a more efficient solution to, for instance, the double-spending problem 76 of digital assets. They also provide several security features, including consensus and immutability. 77 However, solutions built on top of this network layer suffer from the same software bugs and architecture flaws as other software and systems. In addition, so-called permissionless blockchain in particular suffers from unique attacks, such as the 51 percent attack. 78 Contrary to popular belief, DLT are not secure-by-default and still require special attention in the design and solution management— requiring significant attention from a risk management perspective. In fact, encryption key management with DLT based-systems becomes critical as they are the core means to authenticate users and authorize transactions. For central banks, special attention should be put into the design of any DLT system as zero-day 79 vulnerabilities may intensify the consequences and may impact the central bank’s reputation. In addition, immutability of current public blockchains may be problematic to central banks if a transaction was deemed illegal and requires reversing. Researching and investigating these issues and features beforehand will enable central banks to make strategic decisions during the selection of the backend technology to meet their risk profile while being equipped with the features and capabilities that meets their requirements and policies.

Also, with the advent of digital currencies, new fraudulent schemes are emerging to launder money and financing terrorism—as can be seen with the emergence of so-called tumblers, an automated, distributed and/or decentralized mechanism to launder digital currencies. Supposedly, US$1.2 billion was laundered through the use of tumblers in 2018. 80 These schemes, or variations of them, may impact CBDC if AML/CFT techniques and best practices are not well implemented and enforced by central banks and regulatory bodies in their respective countries.

A smart contract is another layer added to DLT with the potential to automate financial services and functionalities. Smart contracts also led to the emergence of Decentralized Finance (DeFi), a set of financial services without traditional intermediaries. Although smart contracts may suffer from the same class of security issues as other programs, the consequences for central banks may be worse if these security issues are not fixed aggressively before deployment. Additionally, security best practices (such as defense-in-depth and compartmentalization techniques) should be addressed in the solution’s early stages of implementation. Leading smart contract platforms today enforce “immutability,” which prohibits any changes to the deployed source-code, a desired feature with permissionless blockchain platforms’ difficult-to-fix smart contracts—which may negatively impact central banks (or even the country’s financial system as a whole) if such platforms are leveraged and permitted.

AI/ML is another widely adopted technology essential for fintech advancement, with further potential to automate more sectors of the financial system (including the central bank) with efficiency. AI/ML accuracy gains and have proven in many cases to reduce cost and operational overhead. However, AI/ML poses bias risks based on the underline algorithm and the data used to train the AI/ML software. Some authors recently found that leading facial recognition AI/ML algorithms were inconsistent with gender, skin and ethnicity differences which could result in biased AI/ML decisions based on its use-cases/function. 81 In addition, AI/ML could fail with adversarial (malicious and crafted input) intentional or unintentional settings. 82 This would become more complicated with the black-box problem due to the difficulty to trace back the decision process of an AI algorithm and identify the algorithm’s intent—highlighting the need for enhanced transparency, including from the central bank’s side when using AI/Ml algorithms. 83 Research is already focusing on AI mitigation and prevention schemes; however, this is still in the early stages and will require new and innovative security modeling of AI components.

Lastly, the separate category of cybersecurity risks can be exacerbated by fintech developments. Though cyber-security is distinctly different from fintech developments in general, cyber risks could increase in severity if the central bank is not adequately equipped in terms of IT infrastructure and expertise, and/or if fintech applications are developed and implemented without addressing the additional operational risks linked to those new applications. Bouveret 84 points out that fintech is “particularly exposed to cyber-attacks given [its] reliance on technology,” as well as expanding “the range and numbers of entry points into the financial system, which hackers could target.” Additionally, fintech could “increase third-party reliance, where firms outsource activities to a few concentrated providers.” He stresses that “cyber-risk is an emerging threat for all types of financial institutions, including central banks as well as fintech firms” (see also BFA Principle X, paragraph 55). Figure 17 below demonstrates how cyber risk management can be fitted within the general risk management approach highlighted in the previous section.

Cyber Risk Management

Beside the unique technological and operational risks to central banks mentioned above, more “traditional” risks still exist as well, and may in some cases even be amplified further. This includes inadequate regulatory, supervisory and compliance frameworks, privacy concerns, and cybersecurity risks to the central bank infrastructure, systems, and data. A continued improvement and agility/flexibility mindset should be adopted by central banks to discover any issues, gaps or risks early in the process of exploring the use of fintech, investigating root causes, and possible solution/mitigations, while being capable to adjust rapidly throughout the deployment process.

Fintech in general puts a lot of emphasis on central bank operational resilience 85 and its ability to adapt to the changing landscape by means of policy and regulations. This requires continuously measuring and improving the central bank’s overall security posture. On the other hand, adoption of fintech services by the financial sector (and the central bank being part of the financial sector in general) would demand further research and collaboration between the central bank, other regulatory bodies, and specially technologists, to update existing financial policies and regulations to enable safe fintech adoption with minimal risks.

• I. Central Bank Internal Organization

Central bank risk governance and organization, including having an operationally effective risk management unit, is a prerequisite for managing the fintech-related risks mentioned in the previous subsections. Not having an independent and dedicated risk management unit within the central bank carries the (operational) risk of not being able to assist business departments of the central bank, as well as management, with early and proper identification, mitigation, reporting, and monitoring of fintech-related risks. This includes a clear role for the Business Continuity Management (BCM).

Many central banks are struggling with ensuring they have the right staff, with the right skills set(s) to deal with fintech developments. Lukonga 86 points out that “[s]upervisory frameworks and capacities will need aligning with the evolving financial landscape.

Central banks and financial regulators need to upgrade their expertise and internal control mechanism, including operational risk management.” The European Commission, for instance, under its Horizon2020 program, 87 is facilitating technical training of central banks/supervisors in all 27 European Union members states and Switzerland on key fintech developments. Its work program includes workstreams, as well as coding sessions, on (1) credit risk in peer-to-peer lending (based on Big data analytics, to enhance loan default prediction rates), (2) market risk in robot advisory asset management (based on AI), and (3) operational risk in payments (based on blockchain, including specific case studies on fraud detection in Initial Coin Offerings, and cyber risk prioritization based on the mapping of attack techniques). The project is managed by the University of Pavia, Italy, with relevant academic institutions in each member country discussing bilaterally with supervisory and regulatory authorities how to set up training for their staff.

The country case examples of Indonesia, Luxembourg, Sierra Leone, and Ukraine provide detailed information on how the respective central banks are dealing with fintech from the perspective of their governance, risk management, and internal operations. This includes central banks that already operate a fintech regulatory sandbox and/or have advanced cybersecurity frameworks. See Appendix II.

• V. Conclusion

With the advent of fintech, risk management of central banks themselves is increasing further in importance. Though fintech creates opportunities for central banks (/suptech applications, as well as more efficient and effective internal operations), nonfinancial risks for central banks themselves (policy and operational risks in particular) are similarly on the rise.

Policy risks extend to all key areas of central bank operations, varying from financial stability, financial integrity, financial inclusion, payment systems, and cash currency management. Though these fintech-related risks primarily affect supervised institutions, sandbox participants, and other market players, they also affect the risk exposure the central bank itself faces because of its policies (or lack thereof) for those topics and institutions. Additionally, operational risks relating to the internal organization, including IT (and cyber-security), HR, BCM, could be exacerbated by the increased use of fintech tools as well.

Therefore, central bank risk management needs to form a proper line of defense for fintech-related risks. Though risks related to technology are not new at all, as some of the IMF surveillance findings show, the speed and propensity with which fintech developments are taking place in the financial sector could lead to central banks seriously lagging. Though IT departments and financial supervisors are the first “business units” within many central banks to identify fintech risks, they do so from their respective and limited viewpoints —and not with the view of protecting the central bank. Central banks therefore need to strengthen their internal risk management to include holistic, enterprise-wide assistance with identifying, mitigating, reporting on, and monitoring of fintech-related risks for the central bank. This will also benefit them as the IMF likely increases its attention for fintech-related issues in surveillance and lending operations through its Safeguards Assessments.

Risk governance and a strong risk culture are crucial. These require a strong tone at the top in the central bank. Governors and Board members need to be made aware of the fintech-related risks their organization runs, and how a risk management framework is clearly needed. This would include outreach to and training of central bank staff (not limited to supervisors and IT specialists—though the European Commission’s fintech and risk management training program is a good example of how to set up unified, consistent, and focused fintech training), as well as enhancing the understanding of Board members themselves of fintech developments at a more granular level.

We advise five key recommendations for central banks to improve their internal risk management in the context of (emerging) fintech- and cybersecurity-related risks:

1) Ensure the central bank has a dedicated, independent risk management function : there should be sufficient risk awareness in the central bank, translated into the establishment of a risk management function that operates independently of business departments, as well as of internal audit. As a second line of defense, the risk management function will help the central bank’s management and the business departments to identify fintech-related risks (whether policy or operational), and assist in mitigating of, reporting on, and monitoring of those risks. The risk management function can also integrate all transversal second line of defense risks, such as operational, compliance, data protection or IT/cyber risks. The risk management function (and, ex post, the internal audit function) would also be able to review existing central bank governance structure to determine if there is sufficient oversight of emerging fintech risks. A clearly articulated and communicated risk event escalation matrix could be helpful to ex ante articulate what type of risk events would need to be escalated within what specific time frames, and to whom. Additionally, risk management should ideally also follow up internally by identifying strategic risks in general for the central bank, for instance, by conducting a Strategic Risk Assessment (SRA). The SRA should identify the key strategic risks, and then the outputs inform and support the strategic planning activity and the prioritization and resourcing of key activity, including programs and projects. This could be the starting point for an overall strategic planning cycle of the central bank. Nonexecutive decision-makers should take an active role in stimulating strategic planning and strategic risk management. Central bank decision-makers (executives and nonexecutives) could liaise more closely with organizations such as the IMF and the IORWG to ensure best practices in central bank risk management are incorporated, including aspects relating to Enterprise-wide Risk Management (ERM).

2) Ensure updated fit and proper requirements, and facilitate (ongoing) training of central bank staff and central bank key decision-makers on relevant fintech issues : the fast-paced fintech developments spanning a multitude of sectors, functions, and technologies imply that central bank staff are kept up to date at an even higher speed than “normal” financial sector innovation would already require. The same holds for central bank decision-makers, such as governors, executive and nonexecutive Board members. In most cases, these decision-makers will likely lack expertise in, and experience with fintech activities. Ensuring central bank decision-makers are “fit and proper” to deal with fintech in their policies, operations, and internal organization, is crucial. Having them participate in (internal or external) fintech training courses and in events organized by, for instance, the regulatory sandbox, would be helpful. For nonexecutive decision-makers in particular, exposure to fintech issues is critical for their role in central bank strategy-setting, as well as in providing oversight over the central bank’s internal control system.

3) Have clear reporting lines on fintech-issues to central bank decision-makers : as some of the country examples indicate, central banks could have a dedicated organizational fintech unit, a more (in)formal fintech working group or committee, or other forms of internal collaboration. Regardless of the organizational setup to deal with fintech-related issues, the central bank would need to ensure that reporting on fintech-related risks is not made overly bureaucratic (for instance, by reporting lines to regular management, as well as management of a fintech unit), nor complicated (by separate reporting lines to different central bank decision-makers, and from different units on similar fintech developments). A balance needs to be found by ensuring the existing organization of the central bank can identify, mitigate, report, and monitor fintech developments and risks, but without creating information asymmetries or bottlenecks.

4) Ensure an integrated fintech approach involving business departments and lines of control : linked to the three points above, a central bank should ensure—ideally as part of its overall mid- to long-term strategic plan—that the organization approaches any (future) fintech developments in a consistent and efficient manner. This implies an even closer cooperation between existing business departments (in particular, financial supervision), organizational departments (HR.BCM, IT and (cybersecurity), as well as the lines of control (risk management, and internal audit).

5) Improve cyber resilience and security posture of central bank infrastructure, procedures, technologies, and skillset . Central banks adopting fintech solutions and services should conduct a security posture assessment of their existing cyber resilience to improve their security posture. The central bank’s cyber resilience is measured by the maturity of their internal processes like asset, change, configuration, risk, external dependency, and vulnerability management and could have positive or negative impacts on the central bank’s risk management and fintech adoption. Conducting a cyber resilience and a security posture assessment by the central bank (preferable by an independent third-party specialist) would identify gaps that need to be addressed to be successful with the central bank’s fintech adoption.

A central bank risk management function should facilitate the improved management of risks related to fintech and cybersecurity developments. In addition to the option of exploring a Strategic Risk Management Assessment, the risk management function could also try to map fintech and cybersecurity risks to specific central bank functions, as well as to the central bank’s internal organization. This would involve ex ante identifying the various technologies that are most relevant to the central bank (based on input from, among others, the financial supervision department, if present, and the IT department), and the various functions/powers the central bank has according to its mandate. Through discussions with the central bank’s management and the business departments, the risk management function should be able to provide a basic risk matrix that would serve as input for further discussions within the central bank. See an example listed below.

Lastly, central banks should avoid dependencies on external parties, as some of the fintech and cybersecurity examples have shown. However, given the fast-evolving nature of risks in these areas, central banks should nonetheless consider seeking external fintech and cybersecurity expertise from external experts, in pre-identified areas and within a specific timeframe. This could involve TA from the IMF or the WB, peer review input from IORWG members, bilateral feedback from other central banks, or discussions with other key international organizations, such as the BIS and its Innovation Hubs.

Fintech and Central Bank Risk Management—Example of a Risk Matrix

Appendix I. Bali Fintech Agenda

• Principles IX and X:

IX. Ensure the Stability of Domestic Monetary and Financial Systems

Explore applications of fintech innovations to central banking services, while safeguarding financial stability, expanding if needed safety nets and ensuring effective monetary policy transmission .

Rapid fintech developments are reshaping financial markets and their structures. Fintech is progressively blurring the boundaries between intermediaries and markets, as well as between digital service providers moving into the financial space, nonbank financial companies, and banks. These developments could affect central banks’ capacity to implement monetary policy and the ability of supervisory agencies to safeguard financial stability, raising both challenges and opportunities.

The potential impact of fintech on monetary transmission and the effectiveness of policy needs further consideration. In many countries, monetary policy is transmitted by changing the marginal price of liquidity—central bank reserves—available to large commercial banks, which in turn is transmitted to lending and deposits rates, as well as inducing a repricing of bonds, the exchange rate, and other assets. Fintech innovations can change any segment of this transmission. The balance-sheet channel could be affected by how households and firms react to new financial products or delivery methods, while the bank-lending channel could be reshaped by changes in the composition of bank financing. Fintech may alter the risk-taking behavior of both bank and nonbank intermediaries with implication for monetary transmission. Fintech could also affect the role of banks in payments and could thus affect their need for central bank liquidity. Policymakers will need to think through the impact of specific fintech innovations, and—if necessary—adapt operational frameworks of monetary policy to ensure effective transmission.

Fintech offers central banks the opportunity to explore new services, while having to consider new risks:

a) Some central banks are considering the possibility of issuing CBDCs, reflecting such issues as the rapid decline of cash use in their systems, maintaining demand for central bank money, reducing the cost of maintaining printed cash, and improving financial inclusion by reducing transaction costs. The design of CBDCs by central banks could have implications for the sources of commercial bank funding in the future—an issue that would call for careful examination.

b) Some central banks are exploring new fintech applications to improve and expand access to payments systems. Applications, such as DLT, are being examined closely to ascertain their capacity to increase the efficiency and resilience of payments systems.

c) Safeguarding financial stability could increasingly become a challenge. Fintech could impact the nature of systemic risks. For example, fintech-enabled multiple payment systems could improve the resilience of payments flows and reduce counterparty risk but could also become conduits amplifying risks at times of stress. Similarly, the determination of what constitutes a systemically important entity, from a stability perspective, may need to be expanded not only to a wider set of nonbank financial institutions but also, possibly, to entities providing critical fintech infrastructure.

d) Central bank support and the role of the LOLR in times of crisis might need to be re-examined. Fintech activities could lead to a decentralization and shift of activities outside the perimeter of the traditional banking sector. Although such shifts are not a new phenomenon, the speed and intensity with which these developments take place raise issues for central banks, financial supervisors, and other agencies to consider—including any potential need for adjustments to their legislative and regulatory frameworks may be needed.

e) Implications for other financial safety net arrangements might need to be considered as well. This could include analysis of the nature of “deposit” insurance, as well as its scope and coverage, and issues relating to crisis management and resolution of systemic fintech firms.

Principle X. Develop Robust Financial and Data Infrastructure to Sustain Fintech Benefits

Develop robust digital infrastructure that is resilient to disruption and that supports trust and confidence in the financial system by protecting the integrity of data and financial services .

Robust financial and data infrastructure is necessary to provide operational resilience and to preserve confidence. Strong standards of operational resilience help market participants and infrastructures to withstand and rapidly recover from disruptions, thus supporting confidence in the continuity of services and preserving the “safety and soundness” and the integrity of the financial system.

Fintech innovation increases IT dependencies and operational risks that should be carefully managed. Effective governance structures and risk-management processes are important to identify and manage risks associated with the use of fintech. The greater reliance on such technologies leads to new operational risks and more interdependencies among service providers (financial institutions, technology providers, and others) that may threaten the operational resilience of financial and data infrastructures. Financial institutions are increasingly partnering with or providers. In such cases, the associated risks for those operations and delivery of the financial services remain with incumbents. As many third-party providers fall outside the regulatory perimeter, increased emphasis on managing operational risks and ensuring robust outsourcing arrangements is key to preserving financial stability.

Economies of scale may increase concentration risks. Economies of scale may motivate greater consolidation among financial firms or third-party service providers, increasing interconnectedness, and accentuating the potential for concentration and network risk. The provision of key infrastructure services by one or a few dominant players raises risks (both domestic and cross-border) that would need to be carefully managed and addressed by information-sharing, cooperation, and macroprudential policies as needed.

Cybersecurity is paramount. Cybersecurity is a vital element of overall operational resilience, recognizing that financial services infrastructures are only as strong as the weakest link. Increased digitalization of finance encouraged by financial innovation places even more pressure on the importance of strong cybersecurity. It is thus important that cybersecurity be fully integrated into the development of new processes from the start. Robust standards are needed to achieve a minimum level of cyber resilience across the entire financial services supply chain to maintain the safety and soundness of the financial system and integrity of data.

Robust business continuity and recovery plans are essential. A key component of strong resilience is the ability to withstand and rapidly recover from operational disruption. This necessitates robust back-up systems, incident response plans, and arrangements that are regularly tested with realistic failure scenarios.

The increased digitalization of finance increases the need for strong frameworks to protect individual and institutional data. As more entities gain access to large volumes of personal and proprietary data, efforts to gain improper access to this information will increase. Robust data governance frameworks are essential to sustain the trust and confidence of users and to deliver the benefits of fintech. Important components of such frameworks include: (1) clarity of data ownership; (2) safeguards to protect data confidentiality, availability and integrity, while encouraging appropriate regulatory information sharing; (3) privacy considerations; and (4) the ethical use of data. Processes will be needed to ensure that data controllers and processors implement effective data protection mechanisms and retain accountability for data breaches.

The following steps may be helpful for authorities to strengthen operational resilience:

a) Encourage financial firms and technology providers to embed cybersecurity and operational risk management into an enterprise-wide risk-management framework and to promote technical standards on cyber and information security. Build upon industry standards issued by SSBs [Standard-Setting Bodies] to set expectations for operational risk management and governance that include monitoring of compliance with applicable regulatory requirements when introducing new products.

b) Promote robust outsourcing arrangements that address technology dependence and apply strong disaster-recovery and business-continuity principles and standards for digital infrastructure. Market players should have robust processes for due diligence, risk management, and monitoring of any operation outsourced to a third party. Contracts should outline the responsibilities of each party, agreed service levels, and audit rights.

c) Monitor and manage domestic and cross-border concentration risk, because economies of scale could lead to large financial or technology firms becoming increasingly important in the provision of key infrastructure services, thus increasing vulnerability to systemic disruption.

d) Ensure that robust data-governance frameworks are in place to address issues of data ownership, privacy, confidentiality, integrity, availability, and the ethical use of data. Priorities are the protection of consumer and institutional data and the integrity of the financial services industry infrastructure.

e) Additional capacity and specialized skills may be needed to supervise operational and cybersecurity risks.

Appendix II. Case Examples 1

• A. Indonesia

Fintech in Indonesia has been growing. The fintech industry in Indonesia has shown an upward trend during the last several years, dominated by peer-to-peer (P2P) lending, and followed by payment system service. The transaction value grew by 18.3 percent from US$22.4 billion in 2018, to a predicted value of US$26.5 billion in 2019—most of which (95.67 percent) comes from digital payments. 2 According to the Indonesia Fintech Association (Aftech), the number of fintech players in Indonesia grew rapidly from 140 players by 2016, to 189 players by February 2019. Among those players, 34 percent focused on payment systems. See Figure 1 below.

Fintech in Indonesia/Players and Transaction Value

Fintech is seen through the lens of the central bank’s objective of payment system stability. For Bank Indonesia (BI), the country’s central bank, these developments warranted the need for active involvement with fintech in Indonesia. The BI has a mandate to regulate and maintain the stability of payment system and to achieve an efficient, safe, and reliable payment system by considering the expansion of financial access and consumer protection. As such, BI has five main roles: regulator, licenser, operator, facilitator, and supervisor of the payment system.

Additionally, fintech is seen as potentially influencing financial stability as well. The fintech business in Indonesia is classified into five categories: (i) lending and capital raising, (ii) market support, (iii) payment, clearing, and settlement, (iv) investment and risk management, and (v) insurance. As such, BI works closely with the Indonesian financial supervisor (Otoritas Jasa Keuangan, OJK). This allows BI to strike the right balance in creating policies that simultaneously nurture digital innovation, while also preserving financial stability and integrity.

In organizational terms, BI established a function under the Payment System Department to facilitate its work in the fintech area. It has nine full time employees with a varied set of experiences, expertise, and backgrounds, ranging from economist, accountant, mathematician, to legal, and IT experts—this is a reflection of the complexity of “fintech” and the topics generally included under its header.

Additionally, the regulatory sandbox is a controlled environment for innovative products. It provides a safe and secure environment for experimenting with fintech products, services, technology, or business models that are created to nurture innovation—while also safeguarding consumer protection, risk management, and prudential principles. The duration of participation in the sandbox is limited to six months, though extension for another six months is possible. Requirements for participation include registration at BI, payment systems-related business, innovative products, benefits to customer, non-exclusive and scalable businesses, with risks identified and mitigated.

BI has set up a regulatory sandbox’s expert panel, comprising experts from the regulation, licensing, information technology, risk management, law, and supervision units. This expert panel has the responsibility to assess risks of potential fintech participants in the regulatory sandbox. To control fintech-related risks, BI requires all fintech payment systems to be registered at BI, and it limits collaboration by licensed providers with unregistered fintech companies. BI also requires all fintech companies to comply with Indonesia’s AML/CFT Act and relevant regulations and requires fintech companies to report any suspicious transactions. As crypto-currencies are not legal tender in Indonesia, payment service providers (including fintech companies) are currently prohibited to process transactions using crypto-currencies.

• B. Luxembourg

The Central Bank of Luxembourg (BCL) closely follows and carefully analyzes fintech developments, though it does not have a separate fintech unit. Fintech developments that affect the central bank are dealt with in various departments depending on their respective areas of expertise. This most notably includes market infrastructure and payment systems and oversight, financial stability, economics and research, market operations, as well as in the BCL’s own operational risk management and IT. The BCL Governor recently tasked a staff member of the BCL’s European and Internal Coordination Unit to actively follow fintech developments and to ensure effective coordination throughout the bank. Similarly, an internal working group on Blockchain/DLT provides a forum to discuss fintech-related developments across departments. It should be noted that prudential supervision of fintech service providers is undertaken by Luxembourg’s financial supervisor, which is a separate entity.

From a payments system perspective, the BCL monitors fintech developments at the European level. The BCL’s Market Infrastructure and Payment Systems Unit follows fintech—and DLT in particular—at the level of Eurosystem committees and work groups. It examines function, operational reliability, and legal setup vis-à-vis the users (what rights do users have). A similar approach is followed at local level vis-à-vis the analyzed initiatives. In this context, cybersecurity, auditability and traceability, and IT management are evoked but without competence and capacity from this unit to adequately assess the responses.

The BCL’s current approach to fintech is to rely on decentralized expertise throughout the organization. For the BCL, the objective of this approach is to rely on the expertise of each unit in their area of competence, while adding an additional coordination layer to ensure an efficient communication and information flow, as well as a comprehensive view and understanding of the diverse fintech developments, their interlinkages, and impact.

BCL’s internal risk management function consists of the Risk Prevention Unit, which deals with ORM including BCM, information security (cybersecurity) and compliance. See Figure 2 below. As the BCL’s second line of defense, the Risk Prevention Unit needs to have the necessary skillset to embrace and assess more technical disciplines such as IT, information security, as well as emerging and potentially disruptive technologies. Figure 3 provides an overview of the BCL’s operational risk management umbrella framework.

BCL Risk Prevention Approach

The BCL Operational Risk Management Umbrella Framework

The Risk Prevention Unit is involved in analyzing potential (future) fintech-related risks to the central bank as well. At this stage, the BCL does not yet use fintech for its own benefit, and technology such as DLT and AI/ML is not used in supervisory tasks, nor does the central bank use cloud services. Nonetheless, these technologies are analyzed by the BCL’s internal Risk Prevention Unit. The Risk Prevention Unit is also actively involved in the assessment of cyber-risks to the BCL. Additionally, new technologies are discussed in various Eurosystem groups as well, before use cases are further developed. The BCL also participates in the OECD Financial Markets Group, and its newly set up Expert Group on Finance and Digitization.

From a risk management perspective, the BCL sees possible disruptive consequences of fintech. The Risk Prevention Unit assesses risks related to disruptive technologies, in particular those associated with Luxembourg’s startup ecosystem, such as cloud computing and mobile computing. The BCL is currently considering more officially defining its risk appetite for different risk domains like cyber risks, fraud risk, third-party risks, or technology risk—including fintech.

The BCL sees the necessity to address technology risk given rapid changes and strong interconnectedness. It defines technology risk as “any potential for technology failures or incidents to disrupt the business, such as breaches of agreed service availability, loss of data integrity or data corruption, architectural risk that exposes significant single points of failure, or an inability to recover technology enablers supporting critical processes. It is the risk of the inability to operate critical processes within a reasonable timeframe due to technology failures.” The BCL covers some explicit fintech elements such as cloud computing, cybersecurity, and mobile computing. As evolution of technology is advancing rapidly and will further accelerate, the rate of change associated through the interconnectedness, mobility and complexity in the future, the BCL feels it must respond quickly by reshaping and improving its current operational risk management practices and technical means.

Practical examples include implementing a Governance, Risk, and Compliance (GRC) solution. The Risk Prevention Section is currently implementing a GRC software solution for fostering the operational risk management process at the central bank. The third phase of the project would incorporate elements such as cyber or IT incidents feeding directly the GRC solution. The BCL considers this as a viable option, given the presence of the necessary technical background and skillset is at the second line of defense level. The Risk Prevention Section collaborates with the BCL’s operational security to implement security assessment tools that could feed into the GRC tool in the future.

BCL risk management will be able to improve operational resilience in the context of fintech. Given that risk management is a second line of defense, BCL’s risk management will be able to translate technical incidents, weaknesses, and risks into business terms and risks for the central bank. Expanding risk management to cover fintech-related developments will allow the BCL to respond more quickly to technical weaknesses at the business level, and thereby guarantee higher operational resilience of the central bank.

In the (near) future, the BCL expects the following developments to allow fintech to contribute to internal risk management of the central bank:

1) Improved automation and computerization of the ORM process by implementing an advanced software GRC solution;

2) In the BCL Management Team: interfacing the GRC tool with IT technical solutions;

3) Improved translation of cyber and technical risks into business terms and risks – which would result in quicker response times, and higher operational resilience;

4) Better targeted and increasingly empowered risk assessments of operational risks, including cyber and technical risks by the second line of defense;

5) Significant improvements in the accuracy, efficiency, and security of processes across payments, clearing, and settlement;

6) Additionally, contributing to identifying the best options for mitigating risks and the respective strategies;

7) Real-time information on all types of risk;

8) Mitigation of the effects of cyber-attacks (internal or external), by continuous monitoring of the data environment; and

9) Continuous monitoring and auditing of processes and systems that are vulnerable to threats. The process should include alerting, responding, and eradicating threats.

Additionally, the BCL is studying the following topics for possible future application, if deemed appropriate:

1) Improvement of fraud detection by measuring and monitoring anomalies and abnormal activities (internal and external fraud, cyber-attacks; possible applications in the context of SWIFT payment messages to avoid cases like Bangladesh Bank by means of scanning all transactions, false payments, false invoices, etc.);

2) Data mining, including the application of statistical and artificial intelligence tools for data-analytics, allowing assessment of risk of internal fraud, management fraud, occupational fraud, and to support fraud audits;

3) Detection front office behaviors, and observe emerging behavioral patterns to predict latent risks, and detect links between employees;

4) Detection of money laundering by analyzing large datasets;

5) Control of operational risks by using effective Workflow Management;

6) Analyzing the best ways to protect systems through AI/ML analysis;

7) Process-automation to accelerate the pace of routine tasks, minimize human error, and make processes in general more efficient and more secure;

8) Setting-up of early-warning systems by defining Key Risk Indicators, Key Performance Indicators, Key Control Indicators enriched by appropriate models for detecting abnormal behavior and constructing legitimate events;

9) Identifying patterns, by using tools in complex data structures involving non-linear relationships in particular;

10) Applying simulation models for the analysis of more complex problems;

11) Modelling complex phenomena based on experts’ perceptions by modeling uncertainty and related events and enable the development and forecasting exercises through simulations;

12) Automation of the classification of risk events;

13) Automation of taxonomies and risk libraries by standardization, centralization, and elimination of redundancies;

14) Allowing for automatic links between historic incidents with the corresponding risk event(s) to prevent similar risks in the futures; and

15) Combining loss data with risk reports to ensure improved prediction of risk events, and therefore a more accurate prediction of future losses.

In terms of challenges, the BCL has identified the following key issues to be tackled:

1) The availability of suitable data;

2) Data held in separate silos, different systems;

3) Data kept as informal knowledge; and

4) Transparency and ethics (regulatory compliance).

• C. Sierra Leone

The Bank of Sierra Leone (BSL), which is Sierra Leone’s central bank, actively manages the country’s regulatory sandbox. The BSL’s Regulatory Sandbox Program was set up to enable innovative fintech products, services, and solutions to be deployed and tested in a live environment, within specified parameters and timeframes prior to launch into the market. The sandbox helps facilitate the BSL’s understanding of emerging fintech issues and supports evidence-based approaches that advance the goals of financial inclusion and maintaining financial stability. The mandate of the sandbox is derived from the Sierra Leonean Banking Act (2011) and from the Other Financial Services Act (2001). These give the BSL the authority to issue regulations and guidelines. The BSL Regulatory Sandbox (the “Sandbox”) framework stipulates eligibility criteria, licenses, and regulatory requirements for the participation in the Sandbox. Participants must be tested and licensed or rejected licensing within the testing period.

The Sandbox involves numerous organizational elements within the central bank. Within the BSL, the Sandbox is managed by a Sandbox Steering Committee consisting of representatives from the following departments: Banking Supervision, Other Financial Institutions Supervision, Financial Stability, Legal Affairs Division, and Financial Inclusion Unit. The Sandbox Steering Committee provides policy direction and oversight of the Sandbox Program, including recommendations to the governor on granting or rejecting licensing of projects accepted in the sandbox. The Sandbox Steering Committee is supported by a project implementation team called the Sandbox Team, which consists of experts from Banking Supervision, Financial Stability, and Other Financial Institutions Supervision Departments. The BSL’s risk management unit is currently not a member of the Committee or the Team. The Sandbox Team is housed in the Other Financial Institutions Supervision Department, but all its internal and external correspondences are channeled through the Chairman of the BSL Regulatory Sandbox Committee (Director of Other Financial Institutions Supervision Department of the BSL), who reports to management and governor of the BSL on regular basis. As need arises, the Sandbox Team may invite experts from other departments within the BSL, including the BSL’s risk management unit, as well as from outside the BSL.

From a risk management perspective, the BSL has identified key risks to the central bank and the financial sector. As the Sandbox operates in a live environment (i.e., involving actual customers using the product(s)), test failures may result in financial loss or other risks to participants, their customers, and the financial system—including the BSL. As such, the Sandbox incorporates appropriate safeguards, including:

Issuance of licences for a period of twelve months to identify and manage potential risks and contain the consequences of failure;

Conducting a thorough “Fit and Proper Persons” assessment on all would-be Board Members and top management staff to ascertain their integrity, sources of funds and suitability to manage fintechs within the Sandbox;

Requesting participants to sign a written agreement with their service providers and a disclosure to their customers that the solutions offered to them is under testing in the Sandbox; and

Requiring Sandbox participants to get the consent of customers before they would use their personal data in order to protect consumer’s privacy.

A so-called monitoring tracker and testing plan is used to assess the risks and measures put in place to mitigate risks and the impact to customers that may arise from:

Any test failures;

Fintech developments;

Regulatory requirements to be relaxed or modified;

Testing methodology;

Control boundaries; key metrics and outcome indications; and

Data security requirements, KYC processes and AML/CFT safeguards.

D. Ukraine 3

The National Bank of Ukraine implemented a pilot project on retail CBDC issuance called E-hryvnia during 2018.

As a part of this project, the NBU analyzed international experience on CBDCs, studied related legal issues and macroeconomic effects, and drew up optimum versions of business models for e-hryvnia circulation.

Along with theoretical studies, the NBU project also conducted case studies. While testing a blockchain technology platform, the NBU issued a limited amount of e-hryvnias into circulation. Transactions involving e-hryvnias could be initiated via either web-wallets or mobile apps for Android and iOS. Transactions were tested by task forces consisting of NBU staff, volunteer companies, and World Bank experts, which provided advice to the NBU as technical assistance 4 .

BACKGROUND :

Financial inclusion is one of the seven strategic objectives set in the National Bank of Ukraine’s (NBU) Strategy .

According to the World Bank’s estimations, 37 percent of adults in Ukraine do not have a bank account and are therefore not involved in the financial system.

It is an important objective for the Ukrainian payment market and the financial inclusion agenda to introduce an affordable, cheap, secure, and functional instrument for retail payments by individuals.

Thereby, research and development activities on CBDC were committed in the Strategy of Ukrainian Financial Sector Development until 2025..

Within the project framework, the NBU team was considering the launch of e-hryvnia in the Ukrainian payment market under one of two alternative models of issuance: centralized or decentralized. The centralized model ( Figure 4 ) implies that the NBU is the only issuer of e-hryvnia and the only owner and operator of the blockchain platform. E-hryvnia is the direct claim on the NBU. Banks and non-bank financial institutions are agents that conduct e-hryvnia distribution, provide users with access to the platform via internet resources, and offer customers additional services, such as secure key storage, mobile applications, and user-friendly presentation of information on customer transactions, etc.

NBU e-hryvnia Centralized Model

The decentralized model ( Figure 5 ) assumes that banks and non-bank financial institutions are entitled to issue e-hryvnia, backed by provisions in the NBU. E-hryvnia is the claim on these banks and non-bank financial institutions, which operate all retail payments. This model is similar to what the IMF defines as synthetic CBDC. 5

For the purposes of the pilot project, the centralized model of e-hryvnia issuance was chosen as a simpler, more comprehensible, and transparent model.

NBU e-hryvnia Decentralized Model

Two working groups were established to implement the pilot project, namely:

1) Internal working group , consisting of the NBU’s structural units: Payment Systems and Innovations Department (project leader), Strategy and Reforming Department, Information Technologies Department, Security Department, Accounting Department, Operational Department, Legal Department, Monetary Policy and Economic Analysis Department. The project manager and the project team reported to the Change Management Committee of the NBU on a regular basis.

2) External initiative group , consisting of the Ukrainian IT and payment markets’ participants who volunteered to take part (they developed the blockchain technology platform and performed service (agent) functions in the pilot project).

The pilot project allowed the project team to identify the following risks and ways to minimize them:

1. The implementation of e-hryvnia may be disruptive for the Ukrainian payment ecosystem. E-hryvnia has the potential to become a competitor to existing retail payment instruments and means of payment, such payment cards, electronic money, payment orders. As a result, it may change the ecosystem of Ukraine’s payment market and reassign the current roles of market participants instead of replacing cash and including more population into financial system.

2. Considering that the pilot project had a limited list of transaction types and a limited range of users, as well as the minor quantity and volumes of executed transactions, the project did not fully uncover the instrument’s attractiveness and the potential level of involvement of Ukraine’s population in using it. Thus, it is hard to predict the number of Ukrainian citizens to become e-hryvnia users if the decision to implement e-hryvnia at a national scale is taken.

3. In case of the centralized model, the NBU would perform non-specific functions for a central bank such as interacting with individuals (including KYC, disputes resolution, AML/CFT).

4. Implementation of e-hryvnia in Ukraine’s payment market should be in line with the possible implementation of other innovative payment instruments, including instant payments and new Open Banking instruments to avoid the overlapping of these projects.

5. There is legal uncertainty for the implementation of e-hryvnia as it should be regulated by law. As the full-scale implementation of e-hryvnia in the Ukrainian payment market would require amendments to both Ukrainian legislation and NBU regulations, the pilot project was hold in the framework of the electronic money regulation.

6. Significant investments and time are required to modernize the payment infrastructure for a new instrument like retail CBDC, that may be unjustified as Ukrainian payment services market is characterized by high level of competition, concentration, and established infrastructure.

7. Risk of the proper technology choice: distributed leger technology (DLT, blockchain) can be used as a platform for the issuance and circulation of e-hryvnia. However, the main advantages of this technology, namely: the lack of a single trust center and the possibility of checking any transaction by any person are not used in case of the centralized model of e-hryvnia. Also, for the national level system, private version of the blockchain protocol cannot be used since its updating in accordance with the development of the basic protocol is virtually impossible.

The NBU is currently considering the possibility of issuing e-hryvnia not just from the supply side but also through market demand analysis. At present, the Project Team is focused on exploring the possible areas of usage and potential demand for e-hryvnia. The NBU is considering the following use cases for e-hryvnia:

1) Instrument for retail cashless payments by individuals (P2P, P2B);

2) Instrument for social welfare payments (G2P);

3) Instrument for securities settlements (B2B);

4) Instrument for wholesale (interbank) settlements inside the country (B2B);

5) Instrument for cross-border settlements (cooperation with other central banks) (B2B, P2P, P2B); and

6) Interest bearing instrument (not as means of payment).

In December 2020, the NBU initiated a Survey on Potential Demand and Consumer Motivations in a form of a questionnaire. The questionnaire includes 30 questions from the perspective of the above-mentioned use-cases and addressed to six target groups of Ukrainian experts: Retail Business and Innovations/Corporate Business/Financial Markets/Digital Transformation of Public Authorities/Virtual Assets.

In 2020, the NBU presented the Draft Law of Ukraine on Payment Services intended to regulate the operation of the Ukrainian payments and transfer market. Among others, the draft law contains the definition of CBDC, as well as changes to the existing Law of Ukraine on the National Bank of Ukraine in the part of the NBU’s function to issue digital currency. Currently, the draft law is being revised by the Parliament and voting is expected in 2021.

The NBU continues to research the possibility of issuing its digital currency, taking into account the results of the pilot project, the current needs and motivations of the financial market, and the ongoing economic development prospects.

Bazarbash , M. , 2019 , FinTech in Financial Inclusion – Machine Learning Applications in Assessing Credit Risk . IMF Working Paper 19/109 . Washington, D.C. : International Monetary Fund .

• Search Google Scholar
• Export Citation

Berkmen , P. , K. Beaton , , e. a. 2019 , Fintech in Latin America and the Caribbean: Stocktaking . IMF Working Paper 19/71 . Washington, D.C. : International Monetary Fund .

BIS , 2009 , Issues in the Governance of Central Banks – A Report from the Central Bank Governance Group . Basel : Bank for International Settlements .

BIS , 2012 , Principles for Financial Markets Infrastructures . Basel : Bank for International Settlement .

Bouveret , 2018 , Cyber Risk for the Financial Sector: A Framework for Quantitative Assessment . IMF Working Paper, 18/143 . Washington, D.C. : International Monetary Fund .

Bowman , M. , 2019 , Community Banking in the Age of Innovation , Speech by Michelle W. Bowman, Member, Board of Governors at the Federal Reserve System, at the “Fed Family” Luncheon at the Federal Reserve Bank of San Francisco, April 11, 2019

Chamoun , E. , R. van Greuning , 2018 , Effectiveness of Internal Audit and Oversight at Central Banks: Safeguards Findings – Trends and Observations . IMF Working Paper 18/125 . Washington, D.C. : International Monetary Fund .

Das , S. , 2019 , Opportunities and Challenges of FinTech , Speech by the Governor of the Reserve Bank of India, NITI Aayog’s FinTech Conclave, March 25, 2019 .

FATF , 2012 , International Standards On Combating Money Laundering And The Financing Of Terrorism and Proliferation – The FATF Recommendations . Paris : FATF (recommendation 29).

FSI , 2018 , Innovative Technology in Financial Supervision (Suptech) – The Experience of Early Users . FSI Insights on Policy Implementation, No. 9 . Basel : Financial Stability Institute .

IMF , 2013 , Guidelines on FX Reserve Management . Washington, D.C. : International Monetary Fund .

IMF , 2017 , Fintech and Financial Services: Initial Considerations . IMF Staff Discussion Note 17/05 . Washington, D.C. : International Monetary Fund .

IMF , 2018 , Asia at the Forefront: Growth Challenges for the Next Decade and Beyond . IMF Regional Economic Outlook Asia and Pacific, October 2018 . Washington, D.C. : International Monetary Fund .

IMF , 2018 , Casting Light on Central Bank Digital Currency , Staff Discussion Note 18/08 . Washington, D.C. : International Monetary Fund .

IMF , 2019 , Fintech: The Experience So Far . IMF Policy Paper, June 2019 . Washington, D.C. : International Monetary Fund .

IMF , 2019 , Review of the Fund’s Strategy on Anti-Money Laundering and Combating the Financing of Terrorism . IMF Policy Paper, February 2019 . Washington, D.C. : International Monetary Fund .

IMF , 2019 , Staff Proposal to Update the Monetary and Financial Policies Transparency Code , May 2019 . Washington, D.C. : International Monetary Fund .

IMF , 2019 , Switzerland Financial Sector Assessment Program . IMF Country Report No. 19/183, June 2019 . Washington, D.C. : International Monetary Fund .

IMF/WB , 2004 , Financial Intelligence Units: An Overview . Washington, D.C. : International Monetary Fund .

IMF/WB , 2018 , The Bali Fintech Agenda . IMF Policy Paper . Washington, D.C. : International Monetary Fund .

ISO 31000 , http://www.iso.org/iso/catalogue_detail.htm?csnumber=43170

Kearns , A. , The organisation of risk management in central banks , in Sullivan , K. , M. Horáková (eds.), Financial Independence and Accountability for Central Banks , 2014 . London : Central Banking Publications .

Khan , A. , 2016 , Central Bank Governance and the Role of Nonfinancial Risk Management , IMF Working Paper 16/34 . Washington : International Monetary Fund .

Khan , A. , 2017 , Central Bank Legal Frameworks in the Aftermath of the Global Financial Crisis , IMF Working Paper 17/101 . Washington : International Monetary Fund.

Kopp , E. , L. Kaffenberger , C. Wilson , 2017 , Cyber Risk, Market Failures, and Financial Stability , IMF Working Paper 17/185 . Washington, D.C. : International Monetary Fund

Lukonga , I. , 2018 , Fintech, Inclusive Growth and Cyber Risks: Focus on the MENAP and CCA Regions , IMF Working Paper 18/201 . Washington, D.C. : International Monetary Fund .

PWC , 2016 , Beyond Automated Advice – How FinTech is Shaping Asset & Wealth Management . PWC Global FinTech Survey 2016 .

RBI , 2018 , Reserve Bank of India releases Dissent Note on Inter-Ministerial Committee for finalization of Amendments to PSS Act , RBI Press Release, October 19, 2018 .

RBI , 2019 , Opportunities and Challenges of FinTech , Speech by Governor Das, March 25, 2018, at the NITI Aayyog’s FinTech Conclave .

RBI , 2021 , Booklet on Payment Systems (January 25, 2021) . Mumbai : Reserve Bank of India ; accessible via: https://m.rbi.org.in/scripts/PublicationsView.aspx?Id=20315#AP3 .

Shabsigh , G. , T. Khiaonarong , e. a., 2020 , Distributed Ledger Technology Experiments in Payments and Settlements , IMF Fintech Note . Washington, D.C. : International Monetary Fund .

Vikas , S. , e.a., 2013 , Private Vs Public Cloud , International Journal of Computer Science & Communication Networks , Vol. 3 ( 2 ), pp. 79 – 83 .

Woods , P. , 2011 , Towards A Lightweight Mobile Cloud , Master Dissertation University of Dublin . Dublin : University of Dublin .

Zhang , L , S. Chen , 2019 , China’s Digital Economy: Opportunities and Risks . IMF Working Paper, 19/16 . Washington, D.C. : International Monetary Fund .

This paper predominantly looks at risk management of central banks. However, this includes functions such as microprudential supervision if the supervisor is incorporated into the organization of the central bank.

See Khan, A., 2016 , Central Bank Governance and the Role of Nonfinancial Risk Management , IMF Working Paper 16/34. Washington, D.C.: International Monetary Fund.

Due to the confidential nature of those TA cases, the names of the central banks involved are not mentioned. Instead, the paper has used anonymized findings from the TA reports, discussions with, and feedback from the respective central banks as the foundation for this paper. The TA cases took place between 2018 and 2020. The TA missions were all led by IMF HQ staff from MCM and ITD, and comprised external experts on risk management, strategic planning, governance and organization, from various central banks.

See https://www.fintech-ho2020.eu/ . Staff from MCM participated in several meetings of the EU Fintech Risk Management Project, and engaged with participants (academic institutions, central banks, financial supervisors, and fintech firms).

BFA, p. 12.

https://www.fsb.org/work-of-the-fsb/financial-innovation-and-structural-change/fintech/#:~:text=The%20FSB%20defines%20FinTech%20as,the%20provision%20of%20financial%20services .

IMF, 2017 , Fintech and Financial Services: Initial Considerations . IMF Staff Discussion Note 17/05. Washington, D.C.: International Monetary Fund.

IMF/WB, 2018 , The Bali Fintech Agenda . IMF Policy Paper. Washington, D.C.: International Monetary Fund.

The IMF, of course, also assists countries by providing financial support through loans. As part of these lending operations, the IMF’s Finance Department conducts Safeguards Assessments. The Assessments examine, i.a., the internal control framework (including risk management) of the central bank. However, given the highly confidential nature of Safeguards Assessments, this paper does not look at possible fintech and cybersecurity findings based on Safeguards Assessments.

Of course, this is not indicative of IMF TA on digital payments separate from central bank risk management.

SOC is a security operations center formed within an organization to handle security related events and incidents at the technical level. SOC rely on network traffic, node health and application behavior to monitor the network and systems for anomalies and are usually capable of responding and eliminating the threat.

IMF Special Series on COVID-19: Central Banks’ “Return to the Workplace” Operational Considerations (July 22, 2020), Cybersecurity of Remote Work During Pandemic (May 6, 2020), and Central Bank Operational Risk Considerations for COVID-19 (April 29, 2020).

A unique hit relates to an AIV report in a specific time period, for a specific country. One report can contain many references, but the entry is only counted as 1 for the purposes of this paper. Note that the IMF AIV database is an internal database consisting of AIV documents dating back to approximately 1978.

IMF, 2019 , Fintech: The Experience So Far. IMF Policy Report . Washington, D.C.: International Monetary Fund, pp. 9–12.

Search terms that were used included “outsourcing” (for possible links to outsourcing of IT/technology components of the central bank) and “operational risk” (for possible links to operational risks that the central bank may run related to IT or other technological aspects)

IMF, 2019 , Fintech: The Experience So Far. IMF Policy Report . Washington, D.C.: International Monetary Fund, p. 9.

IMF, 2019 , Switzerland Financial Sector Assessment Program . IMF Country Report No. 19/183, June 2019. Washington, D.C.: International Monetary Fund.

See IMF, 2019 , Singapore Financial Sector Assessment Program Technical Note – Fintech: Implications for the Regulation and Supervision of the Financial Sector . Washington, D.C.: International Monetary Fund.

See IMF, 2020, Canada Financial Sector Assessment Program Technical Note – Oversight of Financial Market Infrastructures and Fintech Development . Washington, D.C.: International Monetary Fund.

See IMF, 2020, Republic of Korea Financial Sector Assessment Program Technical Note – Technological Change, Legal Frameworks, and Implications for Financial Stability . Washington, D.C.: International Monetary Fund.

IMF, 2018 , Casting Light on Central Bank Digital Currency , Staff Discussion Note 18/08. Washington, D.C.: International Monetary Fund. And: Committee on Payments and Market Infrastructures, 2018, Central Bank Digital Currencies . Basel: Bank for International Settlements.

See, for instance, IMF, 2020, Digital Money Across Borders: Macro-Financial Implications . Washington, D.C.: International Monetary Fund.

Agur, I., G. Dell’Ariccia, 2019, Designing Central Bank Digital Currencies . IMF Working Paper (19/252). Washington, D.C.: International Monetary Fund.

IMF, 2020, Digital Money Across Borders: Macro-Financial Implications . Washington, D.C.: International Monetary Fund.

Which includes payments systems, Central Securities Depositories, Securities Settlement Systems, Central Counterparties, and Trade Repositories.

Previously: Committee on Payment and Settlement Systems, renamed in June 2014.

BIS, 2012 , Principles for Financial Markets Infrastructures . Basel: Bank for International Settlement. See p.5.

A common case of a central bank acting as an FMI is the services it provides through the RTGS. In an RTGS, transfers from one bank to another take place in real time and on a gross basis. RTGS’ are essential for a smooth and efficient banking system. The central bank can provide the RTGS infrastructure.

RBI, 2018 , Reserve Bank of India releases Dissent Note on Inter-Ministerial Committee for finalization of Amendments to PSS Act , RBI Press Release, October 19, 2018.

RBI, 2021 , Booklet on Payment Systems (January 25, 2021). Mumbai: Reserve Bank of India; accessible via: https://m.rbi.org.in/scripts/PublicationsView.aspx?Id=20315#AP3 .

IMF, 2013 , Guidelines on FX Reserve Management . Washington, D.C.: International Monetary Fund.

Ibid., Article 50: “Reserve management strategies should be consistent with and supportive of a country’s or union’s specific policy environment, in particular it’s monetary and exchange arrangements.”

Ibid., Article 8.

Ibid., Section C, articles 24–33.

Ibid., p.26.

PWC, 2016 , Beyond Automated Advice – How FinTech is Shaping Asset & Wealth Management . PWC Global FinTech Survey 2016 .

E.g., UAE and Saudi Arabia collaborate on a digital currency for cross-border settlements project, intended to provide “affordable financial services.” Papua New Guinea developed its “IdBox” pilot to foster financial inclusion through strengthened personal identification methods. Mobile money, and other mobile applications have been tried and tested over the past decade in many emerging and developing countries (Kenya being the key example)—including mobile data-based credit registries in Latin-America. Financial literacy is enhanced by fintechs providing financial product advice, such as in India, where consumers can get callbacks with free advice on a range of financial services, many of which are often cellphone-based.

IMF, 2018 , Asia at the Forefront: Growth Challenges for the Next Decade and Beyond . IMF Regional Economic Outlook Asia and Pacific, October 2018 . Washington, D.C.: International Monetary Fund.

Zhang, L, S. Chen, 2019 , China’s Digital Economy: Opportunities and Risks . IMF Working Paper, 19/16. Washington, D.C.: International Monetary Fund.

Das, S., 2019 , Opportunities and Challenges of FinTech , Speech by the Governor of the Reserve Bank of India, NITI Aayog’s FinTech Conclave, March 25, 2019.

Bazarbash, M., 2019 , FinTech in Financial Inclusion – Machine Learning Applications in Assessing Credit Risk . IMF Working Paper 19/109. Washington, D.C.: International Monetary Fund.

Berkmen, P., K. Beaton, e.a., 2019 , Fintech in Latin America and the Caribbean: Stocktaking . IMF Working Paper 19/71. Washington, D.C.: International Monetary Fund.

Larger financial stability policy risks (such as related to macro prudential oversight, resolution, and ELA/LOLR) are of course also possible. See, for instance, IMF, 2020, Digital Money Across Borders: Macro-Financial Implications . Washington, D.C.: International Monetary Fund.

See footnote 40.

FSI, 2018 , Innovative Technology in Financial Supervision (suptech)—The Experience of Early Users . FSI Insights on Policy Implementation, No. 9. Basel: Financial Stability Institute. See pp.17–19.

https://www.solarwinds.com/securityadvisory . In the SolarWinds hack, U.S. government agencies (such as the Department of Homeland Security) and companies (including U.S. telecom operators, and Microsoft) were targeted by hackers via third-party vendor that supplied software to those agencies.

https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure

https://www.bankinfosecurity.com/us-treasury-suffers-significant-solarwinds-breach-a-15641 . U.S. Treasury Suffered ‘Significant’ SolarWinds Breach.

https://threatit.com/articles/lists-of-companies-affected-by-the-solarwinds-hack-published/ . Security providers

Lukonga, I., 2018 , Fintech, Inclusive Growth and Cyber Risks: Focus on the MENAP and CCA Region s, IMF Working Paper 18/201. Washington, D.C.: International Monetary Fund.

This subsection was drafted with assistance from Kathleen Kao and Nadine Schwartz (IMF Legal Department/Financial Integrity Group).

IMF, 2018 , Review of the Fund’ Strategy on Anti-Money Laundering and Combatting the Financing of Terrorism , IMF Policy Paper, October 2018 . Washington, D.C.: International Monetary Fund.

The FATF uses the terminology “virtual asset” for “a digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes”. The term is used interchangeably with crypto-assets and digital assets in this paper.

FATF, 2018, https://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/FATF%20Recommendations%202012.pdf .

BIS, 2018, https://www.bis.org/fsi/publ/insights9.pdf .

FATF, 2020, https://www.fatf-gafi.org/media/fatf/documents/recommendations/Virtual-Assets-FATF-Report-G20-So-Called-Stablecoins.pdf .

BIS, 2019, https://www.bis.org/cpmi/publ/d187.pdf .

See also, IMF, 2020, A Survey of Research on Retail Central Bank Digital Currency , IMF Working Paper 20/104. Washington, D.C.: International Monetary Fund.

For instance, in Ecuador, El Salvador, the Marshal Islands, Micronesia, Palau, Panama, and Timor-Leste.

For instance, in Kosovo, Montenegro, and San Marino.

In the case of Kiribati.

Bossu, W., M. Itatani, e.a., 2020, Legal Aspects of Central Bank Digital Currency: Central Bank and Monetary Law Considerations . IMF Working Paper (20/254). Washington, D.C.: International Monetary Fund.

See, for instance, Bowman, M., 2019 , Community Banking in the Age of Innovation , Speech by Michelle W. Bowman, Member, Board of Governors at the Federal Reserve System, at the “Fed Family” Luncheon at the Federal Reserve Bank of San Francisco, April 11, 2019. In her speech, Bowman emphasizes the need for “outsourcing risk management guidance [to] appropriately reflect the present-day business realities of the banks that we supervise.”

Open-source software is a type of computer program and a collection of libraries that is written and released under a special license granting anyone the right to use, modify and distribute the software under pre-defined terms and conditions.

Following “DLT” references in the paper are to be read as including “blockchains.”

DeFi is short for Decentralized Finance and is a new framework of financial services produced with no, or minimal, intermediaries and relies heavily on source-code and cryptography to enforce governance and fulfillment of agreements.

Brute-force, in the context of web security, is an automated and systemic attack against web applications (including APIs) where an attacker would try thousands or even millions of usernames/passwords per second in an attempt to figure the correct username and/or password.

“Credential stuffing” is a cyberattack technique where an attacker uses leaked credential lists (username/passwords or keys) to gain unauthorized access into web applications and APIs using automated programs. This cyberattack takes advantage of the fact that many users reuse their usernames and passwords across multiple web services and applications.

Parameter manipulation is a cyberattack technique where an attacker would manipulate the data sets for web applications in order to fraudulently reduce cost, bypass specific restrictions or accessing unauthorized information.

Data harvesting is a technique where automated programs systematically visit web applications (including web sites and APIs) to extract large amount of data to be used for malicious purposes.

https://www.rsa.com/en-us/blog/2018–10/prepare-for-psd2-understanding-the-opportunities-and-digital-risks .

Big data is a phrase used to explain large volume of data stored in a structured and/or unstructured form. The data could relate to educational, financial, and health information and may hold sensitive information such as Personally Identifiable Information (PII) or sensitive financial and transactional data.

https://cybersecurity.att.com/blogs/security-essentials/9-key-big-data-security-issues .

https://www.zdnet.com/article/open-source-security-this-is-why-bugs-in-open-source-software-have-hit-a-record-high/ .

Double-spending is an issue with digital assets in general due to the easiness of copying or reproducing digital information. This would enable a malicious spender to double spend the same digital asset amount across different recipients.

Immutability is a desired feature to maintain integrity within blockchain where agreed blocks are cryptographically structured to prevent malicious tampering of any committed transactions.

A 51 percent attack is a public blockchain-specific attack where an adversary would seek to dominate 51 percent of the network’s mining hash-rate. This may result, based on the network’s implementation, in double-spending and preventing the confirmation of transactions, which would undermine the blockchain network’s integrity.

A zero-day vulnerability is a software or hardware flaw that is discovered “in the wild” and has no official fix (or patch) from the hardware or software developer/manufacturer. A zero-day vulnerability can be exploited by malicious users with a high-chance of success, as the application user is unable to fix or update the software.

https://www.ccn.com/1–2-billion-in-cryptocurrency-laundered-through-bitcoin-tumblers-privacy-coins/ .

https://dam-prod.media.mit.edu/x/2019/01/24/AIES-19_paper_223.pdf .

https://docs.microsoft.com/en-us/security/engineering/failure-modes-in-machine-learning .

https://jolt.law.harvard.edu/assets/articlePDFs/v31/The-Artificial-Intelligence-Black-Box-and-the-Failure-of-Intent-and-Causation-Yavar-Bathaee.pdf .

Bouveret, 2018 , Cyber Risk for the Financial Sector: A Framework for Quantitative Assessment . IMF Working Paper, 18/143. Washington, D.C.: International Monetary Fund.

Cyber Resilience Review (CRR) is a framework example to conduct operational review and examine the cybersecurity controls and processes that requires improvements. The CRR is formed of 10 domains: Asset Management, Controls Management, Configuration & Change Management, Vulnerability Management, Incident Management, Service Continuity Management, Risk Management, External Dependency Management, Training and Awareness, and Situational Awareness.

See https://www.fintech-ho2020.eu/

This section is based on input provided by the respective central banks. Note that the examples are not illustrative for developments in all central banks, but only serve as illustrations for the approaches of the specific countries/central banks. The three examples were included due to the pro-active approach of these central banks in sharing their fintech-related risk management experiences in the central banking community and with the IMF.

https://www.statista.com/outlook/295/120/fintech/indonesia

This section is in part based on the research paper written by Roman Hartinger (e.a.), Head, Division for Innovative Projects (Payment Systems and Innovative Development Department) of the National Bank of Ukraine.

The results of the pilot project are published in the pilot project research note https://bank.gov.ua/news/all/e-hryvnia .

IMF, 2019 , The Rise of Digital Money . IMF FinTech Note No. 19/01. Washington, D.C.: International Monetary Fund.

Same Series

• Fintech, Inclusive Growth and Cyber Risks: Focus on the MENAP and CCA Regions
• A Survey of Research on Retail Central Bank Digital Currency
• Fintech in Latin America and the Caribbean: Stocktaking
• Cyber Risk, Market Failures, and Financial Stability
• Central Bank Governance and the Role of Nonfinancial Risk Management
• Cyber Risk Surveillance: A Case Study of Singapore
• Fintech and Payments Regulation: Analytical Framework
• Risk Management Maturity Assessment at Central Banks
• Fintech in Europe: Promises and Threats
• Cyber Risk for the Financial Sector: A Framework for Quantitative Assessment

Other IMF Content

• People’s Republic of China–Hong Kong Special Administrative Region: Financial Sector Assessment Program-Technical Note-Implications of Fintech for the Regulation and Supervision of the Financial Sector
• The Bali Fintech Agenda—Chapeau Paper
• Fintech: The Experience So Far
• Singapore: Financial Sector Assessment Program-Technical Note-Fintech: Implications for the Regulation and Supervision of the Financial Sector
• Fintech Payments in Public Financial Management: Benefits and Risks
• Cybersecurity Risk Supervision
• FinTech in Sub-Saharan African Countries: A Game Changer?
• Fintech and Financial Services: Initial Considerations
• Institutional Arrangements for Fintech Regulation: Supervisory Monitoring
• The Promise of Fintech: Financial Inclusion in the Post COVID-19 Era

Other Publishers

Asian development bank.

• Fintech Policy Tool Kit for Regulators and Policy Makers in Asia and the Pacific
• Managing Fintech Risks: Policy and Regulatory Implications
• Leveraging Technology and Innovation for Disaster Risk Management and Financing
• Managing Digital Risks: A Primer
• The Role of Central Bank Digital Currencies in Financial Inclusion: Asia-Pacific Financial Inclusion Forum 2022
• Recent Central Bank Digital Currency Developments in Asia and Their Implications
• Building Regulatory and Supervisory Technology Ecosystems: For Asia's Financial Stability and Sustainable Development
• Central Bank Digital Currencies: A Potential Response to the Financial Inclusion Challenges of the Pacific
• Fintech to Enable Development, Investment, Financial Inclusion, and Sustainability: Conference Highlights
• Asia Small and Medium-Sized Enterprise Monitor 2020 - Volume III: Thematic Chapter - Fintech Loans to Tricycle Drivers in the Philippines

Inter-American Development Bank

• Central Bank Liquidity Management and "Unconventional" Monetary Policies
• Cloud Computing: Opportunities and Challenges for Sustainable Economic Development in Latin America and the Caribbean
• Oversight Note on Credit Risk Management
• Cybersecurity: Are We Ready in Latin America and the Caribbean?
• Digital Central Bank Money and the Unbundling of the Banking Function
• Observatory of Cybersecurity in Latin America and the Caribbean
• Financial Risk Management: A Practical Approach for Emerging Markets
• Risk Management with Thinly Traded Securities: Methodology and Implementation
• Indicators of Disaster Risk and Risk Management
• Disaster Risk Management by Communities and Local Governments

The World Bank

• Fintech in Europe and Central Asia: Maximizing Benefits and Managing Risks
• Analyzing banking risk: a framework for assessing corporate governance and risk management
• Analyzing and managing banking risk: a framework for assessing corporate governance and financial risk
• Risk Culture, Risk Governance, and Balanced Incentives: Recommendations for Strengthening Risk Management in Emerging Market Banks.
• Bank Capital and Risk in Europe and Central Asia Ten Years after the Crisis
• Risks and Returns: Managing Financial Trade-Offs for Inclusive Growth in Europe and Central Asia
• Anti-Money-Laundering and Countering Financing of Terrorism Risk Management in Emerging Market Banks: Good Practice Note
• Leveraging Islamic Fintech to Improve Financial Inclusion
• Guidance for Operational Risk Management in Government Debt Management
• Share on facebook Share on linkedin Share on twitter

Table of Contents

• E. Financial Supervision43
• F. Financial Integrity51
• D. Ukraine3
• View raw image
• Download Powerpoint Slide

International Monetary Fund Copyright © 2010-2021. All Rights Reserved.

• [185.126.86.119]
• 185.126.86.119

Character limit 500 /500

Cybersecurity Hazards and Financial System Vulnerability: A Synthesis of Literature

58 Pages Posted: 28 Oct 2020

Md Hamid Uddin

The University of Southampton - Malaysia Campus

Md Hakim Ali

Taylor's University

M. Kabir Hassan

University of New Orleans - College of Business Administration - Department of Economics and Finance

Date Written: 30 07, 2020

In this paper, we provide a systematic review of the growing body of literature exploring the issues related to pervasive effects of cyber-security risk on the financial system. As the cyber-security risk has appeared as a significant threat to the financial sector, researchers and analysts are trying to understand this problem from different perspectives. There are plenty of documents providing conceptual discussions, technical analysis, and survey results, but empirical studies based on real data are yet limited. Besides, the international and national regulatory bodies suggest guidelines to help banks and financial institutions managing cyber risk exposure. In this paper, we synthesize relevant articles and policy documents on cyber-security risk, focusing on the dimensions detrimental to the banking system's vulnerability. Finally, we propose five new research avenues for consideration that may enhance our knowledge of cyber-security risk and help practitioners develop a better cyber risk management framework.

Keywords: Cyber-Security, Cyber Risk, Banking Stability, IT Costs, Institutional Performance, Bank Operational Risks

Suggested Citation: Suggested Citation

Md Hamid Uddin (Contact Author)

The university of southampton - malaysia campus ( email ).

No 3, Persiaran Canselor 1, Kota Ilmu Educity Iskander Puetri, Johor 79200 Malaysia 79200 (Fax)

Taylor's University ( email )

University of new orleans - college of business administration - department of economics and finance ( email ).

2000 Lakeshore Drive New Orleans, LA 70148 United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics, related ejournals, banking & insurance ejournal.

Subscribe to this fee journal for more curated articles on this topic

Risk Management & Analysis in Financial Institutions eJournal

Monetary economics: financial system & institutions ejournal, cybersecurity, privacy, & networks ejournal, other financial economics ejournal.

Search for:

BAI gives financial services leaders the confidence to make smart business decisions, every day.

• Board of Directors
• In the News
• Advertising & Sponsorship

Trusted, Accurate & Relevant Online Training Courses for Banks & Financial Institutions

• Compliance Courseware
• Professional Development Courseware
• Professional Skills Library
• Leadership Innovation Library
• Board of Directors Insight Series
• BAI Learning Manager
• BAI Career Pathing
• BAI Training Insights
• BAI Documents & Resources
• System Requirements
• Regulatory Resources
• Quick and Easy Setup
• Focused Processes
• Powerful Communication Tools
• Credit Unions
• Mortgage Lenders
• Customer Benefits
• Tailored Solutions
• Terms of Service

Real Data, Real Insights, Real Results

• Business Banking
• Consumer Banking
• Digital Banking
• Talent Management
• Banking Trends by BAI Banking Outlook
• Small Business Reporting from BQ and BAI

Your trusted source for actionable insights and groundbreaking ideas.

• Compliance, Regulation & Risk
• Customer Experience
• DEI & ESG
• Fraud Prevention
• Marketing & Sales
• Talent & Workforce Management
• Infographic
• Roundtables
• Learning Manager Login

What makes CRE risk in 2024 and beyond different from recent bank failures?

Ampersand’s Kelly Brown talks balance sheets, diversification and more.

All eyes are on the Federal Reserve for interest-rate timing and the careful policy navigation required as inflation sticks around. But for the Fed, and for the banking industry at large, there’s another underlying concern that persists: commercial real estate (CRE) exposure and its particular vulnerability to higher-for-longer rates.

The Fed and other regulators have made clear they have CRE under close watch. And they’ve conceded that not all lending institutions will make it out unscathed. In fact, April brought the first CRE-linked banking failure of 2024 with Republic First . This is most likely not a one-and-done scenario, the officials have warned. But contagion? Not so fast.

“We have identified the banks that have high commercial real estate concentrations, particularly office and retail and other [property types] that have been affected a lot,” Fed Chairman Jerome Powell said in congressional testimony earlier this year. “This is a problem that we’ll be working on for years more, I’m sure. There will be bank failures, but not the big banks.”

Powell’s springtime remarks followed a similar red flag from Treasury Secretary Janet Yellen, who told lawmakers that bank regulators are working to address risks tied to rising vacancy rates and lower valuations for office buildings in traditional economic hubs.

Both officials tied these stressors to the post-pandemic rise in remote work, as well as higher interest rates, which have challenged refinancing CRE debt.

“I hope and believe that this will not end up being a systemic risk to the banking system,” Yellen said in February, also emphasizing that the risk lay with smaller, not larger, banks.

Kelly Brown, founder and CEO of Ampersand, has 30 years of banking and financial services experience. Waukesha, Wisconsin-based Ampersand connects organizations with large deposit and treasury management needs with competitive offers from financial institutions, plus provides other consulting services. Brown talked recently with BAI Senior Editor Rachel Koning Beals about what makes the CRE picture different from other banking industry challenges as well as what familiar patterns in risk management may be emerging.

For Ampersand’s Brown, regulators and banks alike must consider, if they haven’t already, tighter capital requirements, especially for financial institutions heavily exposed to CRE. They could additionally pursue more stringent LTV ratios for CRE loans.

Banks, meanwhile, should undertake portfolio diversification, tighter underwriting enhancements and strategic disposals, says Brown.

The good news for the risk-wary, she stressed, is that an impressive number of banks are doing just that.

BAI grabbed a few minutes with Brown to explore what else was top of mind from her vantage point as the industry faces the uncertainty that comes with CRE burdens and a still cloudy interest-rate picture.

Here’s a snapshot of the conversation, edited in part for length and clarity.

BAI: The CRE situation and any potential for contagion, or broader market disruption, follows relatively soon on the heels of the Silicon Valley, Signature, etc., failures . And although the source of the risks may be different, is there significance to the size and scope of our current level of risk tolerance, response to the CRE situation, so soon after a big scare?

Brown: The timing is significant. This CRE situation again tests the resilience of market risk tolerance. And there can be an overreaction, which hurts the industry, and an underreaction, if we think risks are too isolated, or we underestimate broader implications, which clearly hurts the industry. We had a financial crisis in 2008 to 2010 because of an underreaction.

BAI: Because ripples from the CRE market could be a slowly unfolding issue given lagging economic factors, rolling debt maturities, etc., what are the risk implications? On one hand, there is more time to respond and get protections in place? Market reaction to one or two high-risk developments at a time? On the other hand, a drawn out, nagging problem perhaps because the industry can’t just rip off the Band-Aid and then recover, so to speak…?

Brown: Yes, that’s the nature of rolling debt, differing timeframes, how much time left on deals. On some deals, more time to mitigate some of the risks, such as renegotiating loans or selling off assets. Or, if incremental failures, a gradual response. Are we talking about a series of isolated failures, which is much different than a systemic failure.

And here’s where a snapshot of every bank may vary. A more seasoned CRE portfolio could have very different credit quality. The acumen of credit committees will really stand out here and responses will be swifter. We won’t see what we saw in 2008-2010. For starters, because of 2008-2010, the CRE situation unfolds against much stronger capital positions now, and the regulatory environment is stronger. Credit quality is quite good now for those who’ve earned it. Restoring confidence is the key.

BAI: Talk about a new technological age for risk measurement – advanced analytics and machine learning models. And give us a status update on adoption among both traditional banking and/or arguably historically slow-to-adapt regulators.

Brown: It’s a game-changer now. More accuracy. More precision. Predictive capabilities and that’s huge, which we’ve seen in banks with greater than $10 billion in assets. And believe it or not, regulators will embrace a lot more technology, at least proactive risk-management regulators will get behind it.

BAI: What strategies might banks and credit unions consider right now?

Brown: No doubt underwriting has gotten tighter; less push for emerging market exposure, less for high growth, much more “sticking to their knitting.” Banks have stronger capital positions. But for local economies, it’s true that getting more capital is not easy right now. Subordinated debt markets have all but closed up. If you’re a bank with capital, you are protecting it at all costs, keeping that strong balance sheet.

BAI : CRE scrutiny comes as the market is getting ever tougher for traditional banks facing nonbank, meaning basically traditional tech, competition. Is there enough banking might overall to be this choosy in capital markets? Does CRE risk contagion impact all equally, meaning these other sources will be as risk-averse?

Brown: In 2022, for both banks and nonbanks, it was all about the ease of getting a deal done. Competition was coming from everywhere. Deposits were a challenge. But that’s shifted. Innovation on the fintech side is all great. But fintechs don’t understand banking. And bankers are bankers, not tech people at their core. Success is in partnering. For bankers, their advantage is really understanding the borrowers. They are close to their borrowers. They might understand a certain sector: a physicians’ practice, an ambulatory healthcare center, you get the idea. I also think you are increasingly going to see the regulator play disruptor, addressing vulnerabilities. And addressing CRE vulnerabilities could be a huge piece of it.

In fact, we have an example to draw from. Community banks. Their credit quality, broadly speaking, is incredible. It’s the regulatory reaction from 10-15 years ago, we see that in practice today.

BAI: What didn’t I get at that is important as we consider what’s next for CRE risk and the banking sector broadly?

Brown: There is a connection I can make that I’m not sure every organization is making, but more should. And that is treating ESG and DEI criteria as more than a box to check . It, too, is impacting the valuation with CRE. It changes the overall risk profile, especially when you have a lot of decision-makers who don’t embrace ESG or DEI factors, which can impact positive and negative valuations on CRE. Banks and credit unions must ask about this.

So, for example, CRE firms have lost long-time legal or accounting representation because the CRE firm’s DEI practices no longer align with the law firm’s DEI practices. CRE shareholders might take a stand against soft DEI practices, but board members might dig in against DEI recognition. It’s touchy territory, but banks must know what CRE exposure exists in this area as well. No surprises.

Kelly A. Brown is Chairman and CEO at Ampersand .

Rachel Koning Beals is Senior Editor with BAI.

See More Insights

A handful of states advance AI scrutiny — what does it mean for banking?

Jun 11, 2024

By Rachel Koning Beals

Here’s what regulators care about more than compliance course completions

May 28, 2024

By Christopher Boersma

Strategies for identifying and preventing check fraud

Recorded: Jun 27, 2024

How Organizations Are Implementing Compliance Policies and Training

BAI provides compliance training and solutions designed for financial services organizations to help reduce organizational risks, improve compliance efficiencies and provide key information.

How Organizations Exceed Expectations

Benchmarking resources to help you better understand your organization’s relative performance. Tailor your preferred reports and leverage the insights to make data-driven decisions with confidence.

• The BAI Mission
• Advertising & Sponsorship
• Compliance & Training
• BAI Policy Manager
• Research & Benchmarking
• Small Business Industry Reporting
• Banking Outlook
• Banking Strategies
• Privacy Policy
• Antitrust Compliance Statement
• Terms of Use
• © BAI 2024 All rights reserved. BAI is Bank Administration Institute and BAI Center.

Analytics Cookies

• Tracking Cookies

Watch these Dates for Key Market Research Reports

Our Annual Convention is the Premier Event for Serious Realtors

Every August, network with top producers to close more deals, master skills that lead to more listings, and learn about trends that will change how you do business.

Make Your Voice Count in the Capital

• News & Media
• Florida Realtors News

More Banks Risk Failure as CRE Loans Reprice

Florida Atlantic University analysts said Flagstar Bank and Zion Bancorporation are facing risks due to commercial real estate loans.

BOCA RATON, Fla. – More than 60 of the largest banks in the country are at increased risk of failure due to their commercial real estate (CRE) exposures, according to a data analysis from a finance expert at Florida Atlantic University.

Sixty-seven banks have exposure to commercial real estate greater than 300% of their total equity, as reported in their first quarter 2024 regulatory data and shown by the U.S. Banks’ Exposure to Risk from Commercial Real Estate screener.

“This is a very serious development for our banking system as commercial real estate loans are repricing in a high interest-rate environment,” said Rebel Cole, Ph.D., Lynn Eminent Scholar Chaired Professor of Finance in FAU’s College of Business. “With commercial properties selling at serious discounts in the current market, banks eventually are going to be forced by regulators to write down those exposures.”

The U.S. Banks’ Exposure to Risk from Real Estate screener, a part of the Banking Initiative at Florida Atlantic University, measures the risk to exposure from commercial real estate at the 157 largest banks in the country with more than $10 billion in total assets. Using publicly available data released quarterly from the Federal Financial Institutions Examination Council Central Data Repository, Cole calculates each bank’s total CRE exposure as a percentage of the bank’s total equity. Bank regulators view any ratio over 300% as excess exposure to CRE, which puts the bank at greater risk of failure.

The banks of greatest concern are Flagstar Bank and Zion Bancorporation, according to the screener. Flagstar Bank reported $113 billion in assets with a total CRE of $51 billion. The bank, however, only had $9.3 billion in total equity, making its total CRE exposure 553% of its total equity.

Similarly, Zion Bancorp had a total CRE of 440% of its total equity; the bank reported $87 billion in assets and total CRE of $26 billion, but only $5.8 billion in total equity.

“These are the two largest banks with excessive exposure to commercial real estate,” Cole said. “Both rely heavily on uninsured deposits, which makes them vulnerable to a bank run similar to what forced regulators to close three large banks during spring 2023. Those bank closures have led to concerns about the stability of the U.S. banking system that persist to today.”

For comparison, the Q1 2024 industry-average benchmark for total CRE exposure was 139% of total equity.

Banks with less than $10 billion in total assets are facing similar risks due to their commercial real estate exposure. Among banks of any size, 1,871 have total CRE exposures greater than 300%, 1,112 have exposures greater than 400%, 551 have exposures greater than 500% and 243 have exposures greater than 600%.

“Three banks have failed in the past year and now we have several candidates where their exposure to commercial real estate is over 500%. Should another bank fail, it’s likely that depositors will pull their money out of these highly exposed banks, which could lead to a banking panic similar to what we saw during spring 2023,” Cole said.

© 2024 Florida Atlantic University

You May Also Like

• Report: 61% of Renters Can’t Afford Median Rent
• Harvard: Home Prices, Rates Shut Out Millions
• Do ADUs Solve Affordable Housing for Gen Z?

U.S. Department of the Treasury

Remarks by under secretary for domestic finance nellie liang at the 2024 occ bank research symposium.

As Prepared for Delivery

Introduction

Thank you for the invitation and opportunity to speak to you today. 1 The topic of your research conference—depositor behavior, bank liquidity, and run risk -- is critically important for the business of banking and for financial stability. 

The deposit runs we observed in the spring of 2023 were in many ways the most serious disruption to banks in more than a decade. The runs contributed to the failures of three relatively large banks in the U.S., stresses at other banks with similar business models, and the failure of a GSIB. More broadly, they were a stark reminder that depositor runs and contagion to other banks are not anachronistic events of the past, and what they exposed were not new, unknown vulnerabilities. Instead, the runs highlighted the buildup in some well-known vulnerabilities in the banking system associated with unrealized mark-to-market losses on the asset side of bank balance sheets, and a large share of uninsured deposits on the liability side. In addition, they focused attention on how technology may be speeding up deposit withdrawals, and the role of social media. Many of these topics are covered by the papers on the program for this conference.

Today, I will start by reviewing the events of March 2023, but then I will take a step back and frame these events within a broader view of banks’ business models over the past 40 years. I will end with some questions and considerations for potential policies around liquidity management aimed at protecting the safety and soundness of banks and financial stability. 

Before I delve into these issues around liquidity, I’d like to make sure we don’t lose sight of the importance of capital for interest-rate risk in bank regulatory capital. Last year’s runs took place during an interest rate tightening cycle that led to significant unrealized mark-to-market losses on banks’ bond portfolios and threatened the solvency of some banks. In many ways, this episode is another reminder of the importance of capital and the interaction of capital and liquidity. I will also touch a bit on this later.

U.S. bank runs in March 2023

Turning to the bank runs of March 2023, I’d like to briefly remind us of the broad U.S. macroeconomic environment we were in. As the economy recovered from the pandemic and inflation reached high levels, interest rates increased significantly from very low levels, starting in late 2021 and through 2022, reflecting the monetary policy tightening by the Federal Reserve.

The tightening came on the heels of a period of rapid deposit growth during the pandemic. Total deposits at commercial banks in the U.S. rose by more than 35 percent over the two years from 2019 to 2021, to around $18 trillion. This rise in aggregate deposits was outsized compared to any period in recent history, as documented in a paper by Castro et al. (2022). 2   Their paper noted four factors as largely explaining this significant deposit growth: the initial spike in commercial and industrial (C&I) credit line drawdowns at the onset of the pandemic; asset purchases by the Federal Reserve; large fiscal transfers to households held mostly in savings in the form of deposits; and a higher personal savings rate. 3  

Notably, as deposits grew, the share of uninsured deposits also grew, especially for regional banks. As shown in figure 1, the share of uninsured deposits for all domestic banks grew by a few percentage points to about 45 percent. But, for banks with assets between $100 and $250 billion, this share grew by 10 percentage points and reached 55 percent. This share also grew by 10 percentage points for smaller banks with assets between $10 and $100 billion, but to a lower share of roughly 45 percent. 

As interest rates rose, bank deposits began to fall. The outflow of bank deposits into money market funds and other alternative short-term instruments was mostly anticipated and orderly. However, deposits at the large regional banks declined more significantly. Banks turned to Federal Home Loan Bank (FHLB) advances in many instances to make up for these lost deposits. These advances more than quadrupled from around $190 billion in late 2021 to over $800 billion in the first quarter of 2023. 4

Moreover, some banks, including some regional banks, had invested in long-dated Treasury and agency securities or other long-duration, fixed-rate assets when their deposits had been growing, taking on increased duration risk. And as interest rates rose, these banks experienced sizable declines in the fair value of these securities and loans, leading to significant unrealized losses. 5  

A few firms had a combination of especially elevated shares of uninsured deposits and unrealized losses, as well as rapid growth in uninsured deposits, and the runs and failures that have now become history followed. You can see both patterns in figure 2—the left-hand side plots individual banks’ shares of uninsured deposits as of the fourth quarter of 2022 against their adjusted common equity tier 1 (CET1) capital ratios for the same period. This CET1 measure reflects the unrealized losses on banks’ books, as it incorporates the fair values of securities and loans on banks’ books. The right-hand side depicts individual banks’ shares of uninsured deposits in the fourth quarter of 2022 against the growth in uninsured deposits between 2019 and 2022. In both figures, the three banks that failed— Silicon Valley Bank (SVB), Signature Bank, and First Republic—really do stand out.

Perhaps what’s especially striking about these runs is that they were very large and fast by historical standards. For example, as documented in Rose (2023), SVB lost 25% of its deposits in one day and was closed before an additional 62% was scheduled to leave the next day. 6   At Signature Bank, 20% of deposits were withdrawn in a matter of hours. And at First Republic, customers withdrew about 14% of deposits on the first day, 23% the next business day, and an additional 20% until it failed. In contrast, the failure of Washington Mutual in 2008, the largest bank failure ever in the U.S., was the culmination of stresses that occurred over several weeks, with total deposit outflows of 10%.

While technology that allows deposits to be transferred easier and faster likely contributed to the speed and size of these runs, and there was substantial social media coverage of SVB the day its run started, a key factor seems to have been the concentrated and highly networked depositor base of these banks. For example, at SVB, venture capital firms, portfolio companies, tech and crypto companies, and high-net-worth individuals appear to have communicated their concerns quickly with one another, leading to a massive and rapid run. There was also some uncertainty around if FHLBs would be able or willing to meet SVB’s and Signature’s requests for increased advances, which may have added to the concerns about the banks’ ability to meet redemption requests and made their liabilities “information sensitive.” 7    

The contagion that followed these runs was also a classic bank run, as other regional and mid-sized banks that were perceived to have similar weaknesses experienced outflows as well. Those banks that came under greater pressure tended to have large unrealized losses in their loan and securities portfolios and relied heavily on uninsured deposits. 8  Importantly, during this episode, deposits at smaller banks generally remained stable, and the outflows became inflows into the largest banks. 9  

In response, the Federal Reserve, the FDIC, and the Treasury Department stepped in quickly by invoking the systemic risk exception, permitting the FDIC to fully pay out uninsured depositor claims for SVB and Signature, and by establishing the Bank Term Funding Program. These actions were helpful in limiting a broader contagion and further damage to the U.S. economy, even as some regional banks continued to see outflows and came under stress for a period.

Evolution of bank business models

While the events of March 2023 remind us of something we have known for a long time—the reality of bank runs—I want to place these events in a broader context, and in particular highlight some observations around how banking has evolved over the past 40 years. I think these broad trends are helpful for thinking about any policy changes that could be considered to reduce the fragility of the banking system, a point nicely articulated also by Hanson et al. (2024). 10  

As shown in figure 3, deposits have been growing rapidly relative to GDP over the past 40 years—rising on net by almost 60% between 1985 and 2019, before surging in 2020, for the reasons mentioned earlier. The uninsured share of deposits also has risen substantially during this period, with much of the increase happening before the Global Financial Crisis (GFC), but remaining high after the insured deposit limit was raised to $250,000. This longer-term upward trend for deposits suggests banks have significant value in their deposit franchise, continuing a significant role in providing liquidity services, facilitating transactions and payments. 

At the same time, as shown in figure 4, direct C&I lending by banks has been almost flat to even a bit negative over the same 40-year period. Considering that nonfinancial credit to GDP increased significantly during this window, this figure underscores the shrinking role of banks in providing credit to nonfinancial businesses. Instead, as Hanson et al. (2024) highlight, banks seem to be shifting their asset portfolios towards securities holdings.

But on-balance sheet lending is not the full story. Notably, even as direct bank loans to businesses have fallen, banks still provide liquidity to nonfinancial businesses through revolving credit lines. We know that businesses drew significantly on these backup lines at the start of the pandemic, which can be seen in the chart and is also discussed in Bräuning and Ivashina (2024). 11  

In addition, banks provide credit and liquidity lines to nonbank financial intermediaries (NBFIs) to support their lending, including to nonfinancial businesses. Growth in lending by banks to NBFIs, including nonbank lenders, securitization vehicles, open-end funds, and other private funds, can be seen in figure 5. Bank loans and credit line commitments to NBFIs have reached more than $2 trillion (relative to C&I loans of $2.7 trillion), with commitments accounting currently for about 80% of the total shown here. Acharya et al. (2024) highlight this trend, emphasizing that banks via their provision of loans and credit lines to NBFIs remain exposed to credit and contingent liquidity risk. 12   In other words, the growth in NBFIs vis- à-vis the drop in bank lending may not entirely be a zero-sum game for banks. 

These indicators suggest important changes in how banks provide credit and liquidity to businesses and support financial activity, yet highlight how banks remain a vital part of financial intermediation despite the declining measures of their direct loans to businesses. You see this through both the continued rise in deposits over decades and the rise in credit and liquidity to NBFIs. In other words, even as some things have changed, core bank functions have not. Banks continue to play a key role in liquidity provision through both the asset and the liability sides of their portfolios, as formulated in Kashyap, Rajan, and Stein (2002), with strong synergies between the two, where the deposit franchise helps them provide the liquidity on the asset side. 13  

Policy considerations

A key lesson of the events of March 2023 is that depositor runs and contagion to other banks are still part of our lives, as they were in  It’s a Wonderful Life , the 1946 movie. Yes, the speed and size of the recent runs were larger than in recent decades, and technology and social media may have played a role. But the vulnerabilities were not new, and bank deposit runs are not sunspots. At the same time, from a broader perspective, banks’ value is increasingly based on their ability to provide liquidity, on both the liability and the asset side. As we consider what policy changes might be appropriate, it seems critical to focus on how we can ensure that banks are able to provide that liquidity both in normal and in stress times. 

Let me mention six policy areas for consideration. First, we need to ensure that our supervisory and regulatory frameworks can effectively monitor and address core vulnerabilities that were the key drivers of the recent runs. These vulnerabilities include increased shares of uninsured and concentrated deposits, as well as unrealized losses on loan and securities portfolios. In that regard, more complete coverage of interest rate risk in capital requirements seems necessary. Bank regulatory capital measures do not reflect unrealized changes in the market value of banks’ securities holdings, such as due to a rise in interest rates, except for the largest banks. This is due to “hold-to-maturity” accounting and the “AOCI opt-out” for securities that are accounted for on an “available-for-sale” basis. The banking agencies have proposed to eliminate this opt-out for banks with assets between $100 billion and $700 billion. Finalizing this change would be an important step in addressing interest rate risk. As a side but related note for researchers: it would be helpful to understand why uninsured deposits and long-dated securities grew disproportionately at these regional and mid-sized banks, and particularly if differences in regulatory requirements were a factor. 

Second, banks should have the operational capacity to borrow from the discount window and to periodically test this capacity. It’s really the only true backstop for banks to quickly raise or provide assurance of needed liquidity, short of holding cash and reserves. This access is key for banks’ ability to fulfill their liquidity-provision role, both to meet the demand for deposits and committed lines, which become heavily tapped in stress times.

At the same time, the work by the Federal Reserve to improve the discount window’s operational efficacy, such as moving to online systems, or enabling a smoother transfer of collateral between FHLBs and the discount window, is needed. Of course, there is still a stigma associated with the discount window, perhaps reflecting its long history. But efforts to require regular testing, building discount window readiness into liquidity regulations and supervision, and re-thinking the two-year ex-post disclosure requirements seem like additional useful steps that can help reduce stigma.

Banks also borrow from the FHLBs, at times in great volume, as I mentioned earlier, but FHLBs are not well suited to be lenders of last resort. This point was articulated clearly in the FHFA report released late last year. 14   But this practice raises a question of when does a FHLB decide to stop meeting a bank’s demand for advances. As part of the work to reform FHLB practices and bank liquidity risk management practices, I think it will be helpful to look for ways for the FHLBs to be more transparent about their practices. It is also critical that FHLB actions to stop advances are not viewed to contain private information about a borrower’s financial condition and to make a bank’s liabilities “information sensitive.”  One potential idea in this regard would be to consider ex-ante concentration and growth limits for bank liabilities that would apply to FHLB advances, similar to how it may be appropriate to keep an eye on concentration of deposits.

Fifth, the proposals for pre-positioned collateral requirements at the discount window are promising, but there are important questions to consider. These include how much and what kind of collateral should be required. For example, the G30 report proposes requiring banks to pre-position enough collateral at the central bank to meet all their “runnable” obligations, including 100% of uninsured deposits. 15   Similarly, Hanson et al. (2024) proposes that the pre-positioned collateral should be largely short-term government debt, to lean against the use of long-duration securities as backing for uninsured deposits, but they also give a nod to the possibility of including loans with appropriate haircuts. Another question is whether the pre-positioned collateral should count towards existing liquidity requirements like the Liquidity Coverage Ratio. As alternatives are considered, an important principle is that pre-positioning requirements are not so significant that they undermine banks’ deposit franchise value, which is tied to their ability to provide liquidity to nonfinancial corporations and NBFIs. 

Finally, re-examining deposit insurance coverage could be considered, but additional research is needed here too. The FDIC issued a report following the bank failures last year on options for deposit insurance reform, including wider coverage or higher limits. One of the options in the FDIC report is to expand coverage to business transactions accounts, similar to what is done in some other countries. 16  But the FDIC also highlighted unanswered questions, including how to define such deposits. Another question is whether an expansion of deposit insurance might produce significant costs in the form of reduced market discipline, increased moral hazard, or other costs.

To conclude, there are many policy responses to consider in response to the events in March 2023, and research like what is being presented at this conference is essential to deepening our understanding of these issues and questions. I look forward to reading and learning from them. 

The figures referenced in these remarks are available here.

[1] I would like to thank Burcu Duygan-Bump, Eric Goldberg, and Laurie Schaffer for assistance in preparing these remarks.

[2] Castro, Andrew, Michele Cavallo, and Rebecca Zarutskie, “Understanding Bank Deposit Growth during the COVID-19 Pandemic,” FEDS Notes , Washington: Board of Governors of the Federal Reserve System, June 06, 2022.  https://doi.org/10.17016/2380-7172.3133 .

[3] In addition, some banks—like Silicon Valley Bank—experienced extraordinary growth in deposits related to the growth of the venture capital and technology sectors during the tech boom around this period. See  Silicon Valley Bank profit squeeze in tech downturn attracts short sellers (ft.com) . 

[4] Federal Deposit Insurance Corporation, Balance Sheet: Total Liabilities and Capital: FHLB Advances [QBPBSTLKFHLB], retrieved from FRED, Federal Reserve Bank of St. Louis;  https://fred.stlouisfed.org/series/QBPBSTLKFHLB . 

[5]   Federal Reserve Financial Stability Report, May 2023 .

[6] Jonathan Rose, "Understanding the Speed and Size of Bank Runs in Historical Comparison,"  Economic Synopses , No. 12, 2023. https://doi.org/10.20955/es.2023.12 . 

[7] Dang, Tri Vi and Gorton, Gary B. and Holmström, Bengt R., “The Information View of Financial Crises,” Annual Review of Financial Economics , Vol. 12, November 2020.  http://dx.doi.org/10.1146/annurev-financial-110118-123041 . 

[8] This experience is similar to runs on asset-backed commercial paper programs in 2007, which were also not random but instead were significantly more likely at riskier programs, based on observable program characteristics, including the quality of back-up liquidity. See Covitz, Daniel M., Nellie Liang, and Gustavo Suarez, “The Evolution of a Financial Crisis: Collapse of the Asset-Backed Commercial Paper Market,” Journal of Finance , Volume 68, Issue 3, June 2013.  http://dx.doi.org/10.2139/ssrn.1364576 .

[9] See for example Luck, Stephan, Matthew Plosser, and Josh Younger, “ Bank Funding during the Current Monetary Policy Tightening Cycle ,” Federal Reserve Bank of New York  Liberty Street Economics , May 11, 2023, and Cipriani, Marco, Thomas M. Eisenbach, and Anna Kovner, “Tracing Bank Runs in Real Time.” Federal Reserve Bank of New York Staff Reports , no. 1104, May 2024.  https://doi.org/10.59576/sr.1104 . 

[10] Hanson, Sam, Victoria Ivashina, Laura Nicolae, Jeremy Stein, Adi Sunderam, and Dan Tarullo, “ The Evolution of Banking in the 21st Century: Evidence and Regulatory Implications ,” Brookings Papers on Economic Activity , Spring 2024.

[11] Bräuning, Falk and Ivashina, Victoria, “Bank Runs and Interest Rates: A Revolving Lines Perspective,” May 14, 2024.  http://dx.doi.org/10.2139/ssrn.4827005 .

[12] Acharya, Viral V. and Acharya, Viral V. and Cetorelli, Nicola and Tuckman, Bruce, “Where Do Banks End and NBFIs Begin?”  March 15, 2024.  http://dx.doi.org/10.2139/ssrn.4760963 .

[13] Kashyap, Anil K, Raghuram Rajan, and Jeremy C Stein,  “ Banks as Liquidity Providers: An Explanation for the Co-Existence of Lending and Deposit-Taking ,” Journal of Finance , Volume 57, Issue 1, 2002.

[14] See  Federal Home Loan Bank (FHLBank) System at 100: Focusing on the Future , 2023. 

[15] G30 Report on “ Bank Failures and Contagion: Lender Of Last Resort, Liquidity, And Risk Management ,” January 2024.

[16]   Options For Deposit Insurance Reform (fdic.gov) .