AI Risk Management: Catalyzing Banking’s Move to the Cloud
SEE LAST PAGE OF THIS REPORT Paul Sagawa / Tejas Raut Dessai
FOR IMPORTANT DISCLOSURES 203.901.1633/.901.1634
psagawa@ / firstname.lastname@example.org
June 27, 2018
AI Risk Management: Catalyzing Banking’s Move to the Cloud
Learning-based AI systems allow software models to draw much more powerful insights from large datasets than traditional analytic techniques. This property makes AI a natural match for risk management at banks, which spend 17% of their annual revenues on processes to minimize and hedge their exposure to credit, market, operational and residual risks. Not only are these processes expensive, but they are imperfect, both in failing to anticipate some risks that lead to loan delinquencies, trading losses, fraud, or other negative outcomes, and in unnecessarily foreclosing profitable opportunities through overassessment of risk. We believe AI systems could lower risk management costs for US banks by 36% and improve outcomes by $73B/year, but there are obstacles. First, banks have copious amounts of data, but most of it is trapped in structured formats, poorly labeled, and rife with error. Second, AI systems are famously opaque, making it difficult to understand the train of logic behind the decisions it recommends. Finally, cutting edge AI is extremely sophisticated and intrinsically holistic (e.g. programming is not easily broken into modules), requiring experienced scientific talent to lead development. Data will have to be cleaned and reformatted, research to enable greater visibility into AI models will need to advance, and even those very few banks with the wherewithal to hire true AI experts will need to work closely with 3rd parties to develop and implement the systems. Still progress is being made, with opportunity for leading AI platform companies and IT consultants to generate substantial near-term growth in a huge addressable market.
- AI can improve loan outcomes at lower costs. Loan delinquencies at US banks currently run at near historical lows, just under 2%, down from nearly 7% at the height of the last recession but are still ~$366B. To achieve this result, banks spend $52B annually on processes to manage this risk and apply overly conservative lending policies that result in turning down profitable lending opportunities. AI systems could make better loan decisions based on broader and more sophisticated analysis of available data. They could also better manage the bank’s risk exposures to categories of credit risk at the portfolio level. Importantly, we believe that AI-based processes could cut credit risk management costs by 37%.
- AI can better assess and counter market risk exposures. Banks are exposed to market risks – e.g. interest rates, FX, asset values, etc. These factors change the value of balance sheet assets and liabilities, typically NOT in sync with one another, reducing book value, tying up capital unproductively and squeezing profitability. Identifying exposures at a granular level is difficult and AI can help find, measure and recommend measures to mitigate them. On an aggregated basis, AI can help design and execute hedging strategies. The financial crisis of 2008 was a stark failure of market risk management, spurring new regulation that adds ~$36B in annual compliance costs. AI-based solutions could lower those costs and reduce the likelihood of a similar collapse in the future.
- Errors, malfeasance and bad processes. Operations risks are the stuff of scandal – rogue traders, fraud, embezzlement, regulatory compliance failures, cybercrime, etc. Since the recession, US banks have paid $160B in fines for compliance violations despite spending $70B annually to avoid them. Cybersecurity is another major concern –US banks spend ~$21B per year to fight hackers. Annual losses to process failures – e.g. fraud, error, etc. – is about $16B, and losses for compliance failures are ~$30B. AI tools can help to flag questionable activity more quickly and accurately, before it can balloon to scandal proportions, with significant annual cost savings vs. traditional processes.
- Banking data is poorly formatted and inconsistent. Banks have a lot of data. Unfortunately, most of it is tightly structured in databases that have been supporting traditional processes and would have to be reformatted to train AI-based systems. The datasets are also typically fragmented into discrete systems inconsistent with one another. This will require investment to pull together the large pools of consistently formatted data necessary for AI risk management systems.
- Model transparency is critical for banking systems. AI risk management models work by finding swaths of subtle and unforeseen statistical relationships within data, using those relationships to make optimized decisions and adjusting the decision algorithm as it continually processes new data. To date, the underlying logic behind those optimized decisions has been largely opaque – delivering the “what?” but not the “why?”. Banks must have the “why?” to defend credit and trading decisions to customers, regulators, and investors. AI researchers are developing methods to allow this visibility, but further progress must be made.
- Banks lack AI capabilities. AI development is holistic, demanding experienced scientific talent to oversee design and training for each project. This talent is in very short supply – there are fewer than 1,000 CS scientists with at least 1,000 academic citations working in private industry, with more than ¾ of those working for GOOGL, MSFT, IBM, FB and AMZN. Only GS (3) and JPM (1) have hired expert level scientists to lead their AI efforts, and even their resources are likely inadequate to address the full range of opportunities in front of them. Smaller banks may have no internal AI expertise at all. Moreover, AI systems are best trained and implemented on specialized datacenter hardware that banks do not have and would be costly and inefficient to buy themselves.
- Major opportunity for AI hosts. Banks have historically kept all their mission critical applications in-house on their own datacenters, but AI will require 3rd party help. AMZN, MSFT, IBM and GOOGL can offer hosting at a significant discount from in-house costs, including access to specialized hardware (i.e. GPUs, FPGAs, and ASICs) tuned to the requirements of developing and running AI. These platforms also offer templates for AI analytics and other sophisticated development tools. For the biggest opportunities, the leading AI hosts will co-develop customized solutions – IBM’s acquisition of compliance expert Promontory Financial Group is a strong move to gain leadership in that segment. IT consultants (e.g. IBM, ACN) will help to transform banking datasets for AI development. 3rd party SaaS solutions for banking risk management applications will emerge, focused on smaller banks without the resources for customized solutions.
Banks get paid to take risks. Loaning money creates credit risk, as some recipients do not pay it back on schedule. There is also market risk that interest rates or asset prices will shift, changing balance sheet values, squeezing capital, and/or tightening profit margins. Finally, the banks own processes create operational risk that employees will make mistakes, bad actors will exploit the banks defenses, that systems and procedures will fail, or that regulators will find fault. To cope with these risks, US banks devote 17% of their total costs to processes designed to manage all three categories, yet failures still result in charge downs, direct losses and regulatory fines, while simultaneously unnecessarily denying business that would likely prove profitable.
AI could help a lot. Traditional risk management processes rely on static analytic models to fuel human judgment. Deep learning AI techniques can extract powerful, unanticipated insights from millions of iterations through huge datasets, identifying risks that would have been unnoticed, offering much more accurate assessments of risk exposures, and providing optimal recommendations for action. With AI-based risk management systems, banks could reduce delinquencies while approving more good loans, decrease exposures to market risks while better mitigating those that cannot be avoided, and limit costly organizational failures. Meanwhile, risk management processes will be more automated, and thus, considerably less costly. Across all three addressable risk categories for US banks (the fourth, residual risk is a bit of a catch-all for difficult to address risks), we see as much as $152B in annual risk related losses, $31B in unrealized profits from unnecessarily avoided business, and $142B in annual costs for risk management processes.
Of course, there are obstacles. The first is that much banking data is tightly structured formats and fragmented across incompatible databases – there will be substantial investment required to ready it for AI, particularly given regulatory scrutiny. Those regulators also demand that banking processes be completely transparent, historically a problem for AI models with their extraordinarily complicated organically grown decision algorithms. Researchers are working to give visibility into AI “black box” models, but further progress must be made before banks will fully rely upon them. Finally, designing, training, and implementing AI risk management systems will demand computer science expertise that is in very short supply and datacenter capacity specially tailored to the needs of AI. Only a small handful of banks have invested in any real AI expertise, and even those few will need to rely on tech industry partners to supplement their relatively modest investment in the technology.
This is a major opportunity for AI hosts. IBM, able to exploit their position in nearly every bank’s datacenters, has been aggressive. Expertise from top risk and compliance consultant Promontory Financial Group, acquired in late 2016, is being used to help shape Watson AI solutions for its clients. MSFT, GOOGL and AMZN also support the development of AI risk management solutions on their platforms and should greatly benefit as the banking industry migrates to the cloud. We also expect the rise of more generic SaaS-based AI risk management applications targeted at smaller banks.
Exh 1: Banking Risk is Broadly Divided into Four Categories
The Four Faces of Banking Risk
In 2004, the second Basel Accords established a framework for assessing banking risk, and while the subsequent Basel III and Basel IV agreements tightened recommended regulatory requirements for the capital necessary to support financial risk and other “stress test” metrics, the basic concept remains. By this framework, most banking risk falls into three overlapping categories – Credit Risk, Market Risk, and Operational Risk – with a fourth catch-all bucket, Residual Risk for exposure to geo-political and region-specific risks not captured by the other areas (Exhibit 1). Individual assets or transactions may combine exposures across categories. For example: A loan officer could mistakenly offer a mortgage loan (operational risk) to homebuyer with a record of bankruptcies (credit risk) for a property in a neighborhood with wildly fluctuating property values (market risk). While the risk associated with this loan might be captured in the credit risk category, preventing similar future risks would involve attention to the processes in all categories.
Exh 2: Historical Quarterly Delinquency Rates by Loan Type, 1Q2013 – 1Q2018
Credit risk is the possibility that monies lent will never be paid back. The statistics on loan delinquencies (the percentage of loan assets that are not current on payments) and charge-offs (the value of loan assets written off and not expected to be collected) are openly reported and widely scrutinized. Delinquencies are currently near historical lows, below 2% and far beneath the near 7% rate posted in the wake of the 2008 financial crisis (Exhibit 2). Still, not counting $75B in student loan defaults – mostly federally guaranteed or held by specialized lenders (i.e. Sallie Mae) – US banks charged off about $45B in delinquent loans last year.
Credit risk management systems work to minimize exposure and charge offs by denying bad loans at the start and selling off the ones that slip through, while assuring credit is appropriately priced and maintaining a diversified portfolio of credit exposures (Exhibit 3). Unacknowledged is the risk of passing on likely profitable business based on poor assessment of delinquency risks. We believe that this could amount to as much as 5% of consumer and commercial lending, suggesting up to $28B in lost profits annually.
AI techniques allow programmers to build much more accurate models for credit, considering many more variables across larger datasets and adjusting in real time to changing market conditions (Exhibit 4). Using AI-based models to assess the creditworthiness of loan applicants should reduce the exposure to poorly performing loans, while simultaneously recommending likely profitable loans that might have been denied under traditional processes. Moreover, these systems would make loan officers far more productive, cutting
Exh 3: US 2017 Annual Net Charge Offs by Loan Type for Commercial Banks
Exh 4: Wide Array of Data Types on Consumers can make Credit Systems Efficient
labor costs by half or more with time. While AI isn’t perfect and could not be expected to eliminate all losses and costs from credit risk, the size of the burden on banks suggest tens of billions of dollars available to credit risk management solutions for US banks that could do better than existing processes, with the global market at least double the US figure (Exhibit 5).
Exh 5: Estimated Addressable Opportunity for AI led Credit Risk Management
Market risk is the possible effect of changes in interest rates and asset prices on the value of a bank’s assets and liabilities and on the margins that it may make on its various financial products. On the asset side, the value of loans is obviously tied to the interest rate yield curve, as are many of the bank’s obligations. Changes in these values, which do not typically offset, then effect the book value of the bank’s equity capital, an important measure used by regulators to determine limits to the bank’s lending, trading and other activities. Shifting interest rates can also affect the margins that banks can earn on lending.
In addition to interest rates, banks have market exposure to other market prices. Foreign currency exchange rates have impact on international transactions and other cross border activities. Real estate prices affect the delinquency rates of loans and the price of the loans if sold to 3rd parties. Trading operations will have exposure to various types of securities.
Market risk management processes are tasked with identifying all these exposures, including their sensitivity to movements in rates and prices, then recommending actions – hedges, asset sales, accelerating transactions, etc. – to mitigate the risk. This is not as easy as it sounds. Exposures may be embedded in complex assets or transactions – for example, the mortgage derivatives at the core of the 2008 financial crisis – or borne secondarily via an important trading partner or customer (Exhibit 6). Interest rate exposures must be calculated from a vast ocean of loans, layered across a continuum of maturities. AI
Exh 6: US Banking Net Income During through 2008 Financial Crisis
Exh 7: Estimated Addressable Opportunity for AI led Market Risk Management
systems can learn to tag and evaluate these risks, with more complete and accurate analysis than is possible with human directed analytic processes. AI can also predict and react to market movements more effectively than traditional tools, further improving the performance of market risk management.
The annual costs of imperfect market risk management are extremely volatile, and thus difficult to precisely quantify. In normal years, where interest rates and asset values are stable, the total cost of market exposure for US banks may be just $3-4B, but the 2008 meltdown is a fresh enough memory for the industry and regulators to demand serious measures (Exhibit 7).
Organizations do not operate perfectly. Employees make mistakes that cost money – war stories of “fat fingered” traders making errors worth hundreds of millions of dollars are plentiful. Employees may also be dishonest – embezzlers, hackers, saboteurs, and other bad actors can steal or destroy value and/or trigger regulatory penalties. Processes and systems may break down – IT downtime can leave customers hanging, and regulatory compliance failures can be very costly. In the 9 years right after the 2008 crisis, global banks paid $321B in cumulative fines for compliance violations. This year, Wells Fargo was hit with a $1B fine for abuses in its mortgage and auto lending businesses.
US banks already spend more than $70B per year on managing compliance and another $20B on cybersecurity, in addition to the more than $30B in estimated losses to error, fraud, cybercrime and compliance fines (Exhibit 8). AI is very well suited to the task of finding anomalies – all those errors and threats – and can do it quickly, before they can snowball to something costlier. We believe that cybersecurity, not just in banks, is at the cusp of an AI revolution with automated bots finding and resolving vulnerabilities, unearthing inappropriate activities, and flagging suspicious access more quickly and completely than traditional systems. AI can scrutinize every transaction, every client interaction, and every internal decision logged for potential compliance violations. This should deliver superior outcomes at substantial cost savings vs. the labor-intensive alternatives.
Garbage In, Garbage Out
Good AI models demand copious amounts of well-scrubbed and properly formatted data (Exhibit 9). Banks have a lot of data, but it tends to be held in fragmented, highly structured, and often inconsistently formatted databases that are poorly suited to the needs of machine learning. While perhaps less daunting than in healthcare, where much important information still resides in paper records, cleaning loan approval files, consolidating transaction records, reformatting structured databases, etc. will be a long and expensive slog. This will delay the impact of AI-based risked management, possibly for years, while demanding conviction and perseverance by banks and their investors.
Exh 8: Total Addressable Opportunity for AI led Operational Risk Management
Exh 9: Banking Data Assets are Poorly Formatted and Inconsistent
Inside the Black Box
Modern AI is based on machine learning techniques of self-adjusting algorithms that become increasingly accurate as they iterate through mountains of data over and over. With complex models composed of thousands of these self-adjusting algorithms, the mechanics of how the model resolves to a solution are very difficult to make specific. In this way, these models, called deep learning, are famously considered black boxes that make excellent but inscrutable decisions (Exhibit 10).
This won’t cut it for banks, which must satisfy regulators that might call any decision into question. Fortunately, researchers are working on new AI modeling techniques that provide an audit trail for decisions, highlighting the specific datapoints that were influential in the result. While it may be years before banks and regulators are comfortable with fully automated AI loan approvals, we believe more transparent versions of AI techniques will begin to provide enough visibility to provide necessary accountability, particularly if AI is initially used as support rather than replacement for human decision makers. Still, modest progress in opening the black boxes will be a gating factor in how quickly AI will permeate banking risk management, particularly in credit applications.
Exh 10: Black Box Nature of needs to be Solved for Financial Applications