Head2Head: Impacts of Digitisation

By Bruce Meuli, Global Transaction Services Advisory Executive, EMEA and Jonathon Traer-Clark, Head of Strategy and Advisory, Global Transaction Services at Bank of America Merrill Lynch

Bruce and Jonathon tackle risk in the digital domain, and discuss the real-world impact of innovation on working capital.  

Managing Risk in a Digital Environment

JTC
Bruce, let’s talk about risk. We know that the treasury discipline has been very good around things like liquidity risk, exchange rate risk and interest rate risk. But I would argue that there's another concept that treasurers are now worrying about much more today, and that’s digital risk. Would you agree?

BM
Are you thinking pure digital risk or are you coming at this from a wider operational risk perspective? I think people often get that confused.

JTC
That’s an interesting take on the matter, can you explain?

BM
The way I see it, some of the weakest points in any process, from an operational risk perspective, are where we see manual intervention, simply because those processes are not digitised.

I think that you could look at this in two ways. Digital does increase the opportunity for cyber threat for instance, but then it may also reduce the opportunity for fraud from a manual basis. 

If you fully digitise a process then it becomes an IT issue. With that, you can actually make your response to the process far more proactive. By that I mean you have more data to manage, but if you automate you can manage that data more effectively on a continuous basis because there are no breaks in the chain. If you have manual processes, it becomes more difficult to maintain the flow, and the manual links in the chain – where the process stops and restarts – become the weak points.

JTC
But does it? If I write a cheque – a truly manual process – I am saying ‘Here’s the money I owe you’ and I give you the cheque. You have been paid.

Let’s look at it from the other side of the ‘digital’ coin. I might decide to send you the money through an electronic banking system. But if that was a fraudulent payment, how can that be stopped? With a manual process, I can just tear the cheque up. With a digital process, that payment has gone; it’s instantaneous.

BM
That’s a very good point – and if you think about real-time payments, it’s true and there is no ability to stop that. But there have been some incidences where a payment has been initiated and it’s been caught before it’s gone too far through the banking network. If you use real-time payments though, that opportunity for an early catch disappears. 

So yes, the digitisation of some of these processes can increase the risk. But what I am saying is that with a digital process such as machine learning, you have more ability to build in checks and balances using data – the ability to detect and mitigate, before something occurs.

JTC
So it’s not about the actual mechanism by which you create the settlement, the real story is about how it is possible to actually catch the fraudulent act before you get to settlement? 

BM
Exactly. Just on input controls alone, where you can only enter data which fits what has been prescribed for that field, you have an entry check right at the beginning of the process. But even if that goes through further, you can have all sorts of other checks in place. How should this payment be made normally? Do we usually make this payment? Has a payment gone through which doesn’t normally go through? These questions should raise exceptions.

JTC
That is similar to pattern matching. What we are picking up then is an abnormal behaviour. 

Here’s another consideration – the need to train your staff differently. They have to be comfortable saying ‘no’ to an instruction. 

We’ve all seen the messages about receiving an email from the CEO. It looks and sounds legitimate and has an urgency that can trick some people into sending huge sums. To me, there has to be a multifaceted approach to risk. I don’t think it’s only about digital pattern matching or any of the other smart technologies; it also has to be about training people and giving them the confidence and the ability to sit comfortably within that process – it’s about promoting good conduct. 

BM
I agree. People will always have a role somewhere in the process and that role will evolve. What’s important, is that education and development prepare people to evolve with the changes and ensure that they work within best practices. It’s about getting people into the right behaviours.

TMI Comment

It’s an interesting conundrum that the more a process is digitised, the greater the risk of it being undermined by cyber criminals, and yet the more a process is digitised, the greater the ability to implement embedded controls in a system to protect against such an attack.

But it is also the case that if one or more manual procedures are retained within a process, where rapid digital tools such as Faster Payments are used at the end of that process, those human interventions make it far more likely for error or fraud to occur yet not be detected. This presents a huge risk as once an instruction has been sent through a faster mechanism, it cannot be recalled. 

Every manual intervention in an otherwise digital chain will create a potential bottleneck or the opportunity for human error, each time halting the digital flow and adding risk. 

Furthermore, these breaks not only create operational cost in terms of staffing, they also have a negative working capital impact; the inevitably slower speed at which collected funds are booked, for example, has wider financial consequences.

The ideal is therefore ‘fully digital’, with appropriate checks and balances embedded throughout the process. Of course, humans will still be involved to a greater or lesser degree in many processes, although more on the managing, rather than the executing side. To minimise the inherent risks this creates, there will always be a need for risk education and instilling good practice as the norm.

 

 [[[PAGE]]]

A final word from Jonathon & Bruce

In our opinion, TMI’s verdict is somewhat one-dimensional, and seems to focus on the downside. Having both digital and manual oversight is a powerful combination – but only if one recognises the inherent strengths and weaknesses each capability brings. Furthermore, whilst it’s true that once accepted a payment in a faster system has to be legally cleared within a given time frame, the key is the acceptance phase. That’s where human and machine intelligence should be combined. The whole area of digital operational risk (and others) vs manual vs something in between is a big ‘practical’ consideration. Get it wrong and it is worse than just a manual system...

Digitisation 

BM
Jonathon, let’s look at some practical examples of digital innovation in the working capital space; what do you see as the current key advances?

JTC
Something that will be very familiar and important to all our clients is identity management. We’ve seen innovation in the way that people think about biometric authentication, for example. One country has even created and implemented a system whereby an individual’s fingerprint can be stored digitally on a central database. If that person then wants to open a bank account or prepare a new mortgage application for example, when they visit the bank branch, they bring their identity card along with them and the card holder can then authenticate themselves, simply using their fingerprint. 

We’ve also seen a lot of work around fraud detection. The way that we hold and interact with our mobile phones is as unique as our fingerprints so it is now possible to achieve a very high degree of identity confidence just from the way we use those devices. In the corporate space, we’ve seen great moves towards re-imagining paper-intensive processes, with a push towards digitisation – not just turning them into electronic copies of paper but fully digital, machine-readable artefacts.

BM
Indeed, and cash application processes would be a classic example of that, where we are seeing major developments around matching incoming AP or AR items to bank statements. It used to be the case that if you got 60% on a first pass, then you were doing pretty well. But with recent innovations the game has changed significantly for the better.

JTC
You’re talking about straight-through processing, right?

BM
Absolutely. And there have been noteworthy advances in the logic around how that matching process works. This is where we start to get into the whole discussion around machine learning and algorithms. We are now moving into the realm of robotics and process automation, and its application to manual processes is rich in innovation. In this context, we are certainly seeing some very fruitful returns as far as optimisation of treasury is concerned. Not least in optimising working capital and the wider cash management space, where we have seen immediate cash application, real-time position data and improved forecasting.

JTC
You’re right – and I think these advances apply to almost every aspect of business today. The reconciliation process can be accelerated by using artificial intelligence, deploying pattern matching techniques, for example. But it is also possible to use that intelligence collectively. One of the new ideas that we’re working towards is how to draw more power and information from data by combining sources – so that it effectively becomes greater than the sum of its parts. I think that this will create some very interesting opportunities. As a real-world example, I can see data around corporate working capital flows being supercharged by information from market data providers working in the banking landscape.

BM
You mean banks working with their own data and combining it with corporate data, or do you see the inclusion of bank-dependent data sourced from third-party repositories? If the latter, how’s that going to work?

JTC
Obviously we have to be acutely aware of matters such as privacy, but we should acknowledge that those new information landscapes represent opportunity when you start viewing them in aggregation. 

You talked about a matching process for reconciliation, for example. If I match the receipt of the flows of money with an instruction that came from the payer to say, ‘I sent you the money’, it becomes entirely possible to tie a business event with a financial event; this gives a far higher degree of confidence with the reconciliation process and lessens the exception work required.

This is a fairly standard practice nowadays but it’s thinking like this – where you start to merge different fields of information with different pieces of workflow or processes – that is where we will be generating a huge opportunity for clients. This is a conversation that has only really just started but it is one which I think will gather pace pretty quickly as the results are proven.

The TMI verdict

Technology can bring advantages to almost every aspect of business. We know that data, when processed automatically and subjected to artificial intelligence and machine learning, can deliver the kind of visibility and accelerated flows that treasurers have longed for.

But it will take vision and commitment to ensure that the expected results are achieved. Only by bringing together different functions, both internal and external, and by sharing data, are we likely to reveal a source of knowledge far greater than the sum of its components. 

However, the nature of the beast is that ever more data is increasingly exposed to the outside world. As digitisation becomes the norm, new security issues will inevitably surface. Developments around biometric authentication and user behaviour for example, are keeping pace as evidenced by some interesting progress at a national level in several countries.

We all need to be mindful from a regulatory and compliance perspective, of how and why we are using that data, and what we are doing to protect it, because with power comes responsibility. The EU’s new General Data Protection Regulation regime – controlling use of data in the digital age – will assert this, with the potential for strongly punitive action on transgressors when it goes live on 25th May 2018.