The regular industry events for the three lines of defence organised and facilitated by 1LoD have evolved into a fantastic platform for exchanging industry updates, new ideas, and addressing new challenges between financial firms, regulators, vendors, and other interested parties.
Mobilewatch have been working with 1LoD for nearly 3 years and have had the pleasure of attending a few panels with other industry professionals, driving the focus of discussions to the often-unaddressed topic of personal device surveillance in regulated areas.
One of the recent panels at the 1st Line Risk & Control Deep Dive event earlier this year focused on Conduct Surveillance and talked about the future in the 1st line of risk and control function. Most importantly, the panel discussed the importance of technology in automating surveillance capabilities and bridging the gaps in the 1st line and 2nd line control functions.
New technology such as #personaldevicesurveillance by Mobilewatch is an excellent opportunity to update existing business models and ensure that all three lines benefit from the technology that the firm is using. It makes sense for all three lines to work together, test the same systems, use the same systems – and glean the required data from the same systems for their respective needs and benefits. It’s about cooperation and communication across all three lines.
It was also agreed that conduct risks should be reviewed regularly, especially to address the new ways of working. Firms need to strive to be agile and embrace the changing times, like they have done with the pandemic – within weeks, a previously unthinkable ‘trading from home’, became a very real and acceptable business model.
Risks associated with personal devices is unfortunately a negative example where most firms have been very slow in recognising the risk and updating their risk taxonomy. In other words, the industry is dealing with this problem using a very outdated toolbox. Yes, there is a clear regulation across the board, but a decade-old risk approach, which most banks use as a convenient get-away clause.
Mobile devices are a huge security risk, which by far exceeds all the risks from ecomms, work phones, chatrooms and emails combined, yet no meaningful controls are applied by most financial firms in personal comms space.
As Raili Maripuu, Chief Executive Officer at Mobilewatch pointed out, there are still areas in which technology is a vital backstop. “Banks have to be careful not to rely upon soft controls, culture and policies alone. A prime example is personal mobile devices, where banks hide behind policy in order to avoid the inconvenient truth that these devices are a huge security risk on which few, if any, meaningful hard controls are applied by the majority of financial firms. Culture doesn’t give you an automatic opt-out from the controls, on the contrary, with addressing all current risks the firms are demonstrating that they are serious about their culture.”
Her point was reinforced by answers to the question of the effectiveness of the risk management of unapproved communications devices. Just 23% of attendees felt that their firms were highly effective in this area. Getting the risk and control framework right, and making it sustainable, remains a work in progress.