Insights

Automated Testing Allows Banks to Cover More Risk More Effectively

Written by Spinnaker Team | May 13, 2021 2:49:11 PM

A decade ago, banks expected regulators to arrive for scheduled routine examinations, where they would conduct external testing and point out any problems they uncovered. But as we look at today’s regulatory landscape, the scenario has flipped. Across the industry today, regulators increasingly expect banks to have robust risk management frameworks to proactively catch and resolve issues before anyone else identifies problems – and especially before any customer impact occurs.  

Nowadays, regulators walk in and directly ask how strong your bank’s testing program is, measured in part by the issues it has uncovered and how timely and adequately you are remediating those issues. They want proof that you’re actively looking to find and fix problems early. While it might sound ironic, banks who report issue-free testing often raise a red flag with regulators, who know that processes come with risks of breaking down no matter how watertight your ship is.

Amid these regulatory expectations, banks are vying to outdo each other by integrating cutting-edge technology into how they deliver and manage every product and service – including timely updates to create more sophisticated digital channels – but they haven’t quite seen the full light on how the measured use of technology can bolster their risk management programs. More specifically, a new type of automation, known as Robotics Process Automation (RPA), can be a powerful tactic in advancing a bank’s risk management programs. Put simply, RPA deploys a set of software tools that mimic repeatable business processes. In fact, this emerging discipline, regulatory technology (more commonly referred to as RegTech), reflects the growing use of digital tools and applications in risk and compliance programs.

No world (or bank) is perfect, and things go wrong. Testing is nothing more than pulling back the curtain beforehand to confirm each process and the controls installed as guardrails – which can be automated processes themselves – are working exactly as designed and intended, whether implemented as part of your underlying business strategy or as regulatory requirements. For years, banks have relied on manual testing, usually focusing on a cross-section of processes with the highest risk for customers, reputational or fiscal consequence.

Against those intensifying oversight demands and limited testing resources, banks, more than ever, need to leverage automation, or RPA, in their testing to strengthen their risk management programs. Doing it the right way results in three large gains:

  • Get the most bang for your buck: Growing your program with manual testing means hiring more risk and compliance analysts, leading to increased salaries and benefits. Automation requires one-time, scalable investments.
  • Cover more ground: Expand your testing environment exponentially. Rather than pulling only a small sample for your staff to review, make a giant leap with automation to assess larger populations. You also can broaden your testing breadth to analyze more processes, not just a select few.
  • Ramp up your accuracy: Automated testing conducts the same review every single time, giving you confidence that processes fulfill intent. If you deepen your testing, you gain a broader testing environment that adds greater weight to the accuracy of your results. Removing the human touch reduces the likelihood of a host of errors.

Beyond identifying issues, real-time testing gives you integral insights for ferreting out root causes to fix and inform your remediation plan when you find an off-kilter process. The more you demonstrate how your actions support a well-managed organization, the better your relationship will be with your regulators. In practice, regulators more and more are looking for open information pipelines, where banks are regularly reporting issues and resolution efforts.

Build on a solid risk management framework

Testing, whether manual or automated, is an integral part of your bank’s risk management framework. You want to start with solid, proven manual testing practices. If you’re migrating existing testing protocols which are lackluster at best, automation won’t elevate your risk management agenda. Get your house in order first with a testing environment designed to give you comprehensive oversight of your processes and their performance.

Reliable, accurate data is the second critical ingredient for success. Don’t get swept up with automation excitement and forget to take care of this fundamental basis for effective testing. Your data goes hand-in-hand with your testing protocols. Shifting bad data and poor practices to automation does nothing more than recreating a flawed testing approach as a digital exercise.

With an anticipated wave of new regulatory pressures, banks want lifelines for effectively managing operational oversight to meet those expectations. Automated testing is the most efficient way to get there.

Your effective transition to testing automation

Implementing innovative technology solutions has become more ingrained in many banks’ core business DNA in recent years, but most have been slower to implement similar cutting-edge technology, including automation, into their non-revenue functions. But it appears the tides are changing. The RegTech segment, which serves only a fraction of what we consider within testing, is expected to grow by 20% by 2025 as banks become more open to other applications and possibilities from technology.

Being on the leading edge in effectively implementing testing automation could be to your advantage, with better process oversight, customer protection, and regulatory awareness. Dare we say, holding back could work against you, as automation will quickly become yet another regulator expectation. If you’re unsure where to start or what to consider, we offer a few recommendations to put you on the right path forward: 

  1. Engage the right people in the process. Once again, regulators are redefining the playing field, as testing once remained the purview of your second and third lines. In the past five years, oversight agencies expect your first line – those people who own the process and create the risk – to be monitoring their processes as well. When you involve people from every line of defense and gain consensus on how you structure and conduct your testing, you create a scalable, more efficient program. And, of course, since we’re talking automation, get your technology folks on the same page no matter whether your initiative involves straightforward coding or sophisticated artificial intelligence.

  2. Know what to automate – and what to leave alone. Dedicate your initial energy and resources to automate testing for basic practices, which represent a significant volume of processes; addressing a lot of low-hanging fruit at the onset will vault you forward significantly. Along the way, you can establish skills, systems, and protocols within this new space to be prepared to then tackle more complex processes. The most sophisticated testing should enable you to detect a granular defect in a single account.

    Automating weak processes and ineffective controls can amplify your risk markedly. As you plot out a testing protocol, if you see yourself detailing exception after exception, take those as warnings to maintain manual testing for now. Even the most advanced machine learning still presents challenges, including bias.

    Additionally, if you are testing a process that requires any judgment on its accuracy, assign those to your staff. Right now, for example, I wouldn’t advise automated testing on Unfair, Deceptive or Abusive Acts or Practices. Even though it’s part of a written law, the interpretation of whether somebody has crossed the line in those practices remains a gray area, and machines still work in black-and-white conditions. Gray areas require a human eye so that you can look at those processes from many different angles, and even still, you might not be able to find a clear right or wrong answer.

  3. Leverage good data and solid protocols. Automated testing today generally introduces an artificial intelligence script to compare data, such as a field on one form to the same field on another form. First off, the data needs to be accessible, meaning that you have good data governance, quality control on data input. Before introducing any customer or other data into automated testing, validate that it’s exactly what it needs to be. Take the transitional opportunity to review targeted manual protocols to determine if they are still working effectively. You can also use this opportunity to expand the scope of testing as you migrate into automation. And don’t forget to test your automated testing before it goes into production. It needs to work flawlessly. Otherwise, you risk exponentially exacerbating any deficiencies, which will actually create more work for you and have the opposite impact you are striving for.

  4. Test and repeat. By design, testing is repetitive, but it’s not always the same. Each of your three lines of defense comes at testing exercises with different objectives. Let’s consider a mortgage loan. The first line might run testing the day after closing to check certain items are captured. Monthly, the second line might come through to review a sample, but maybe it’s validating Annual Percentage Rates. And audit, your third line, could approach it even differently. Each line’s needs drive its associated testing cadence and goals.

  5. Act on the issues amplified by automation. As we discussed earlier, automation allows you to dig deeper and broaden testing – and you’re going to potentially find a lot more issues. That said, a great byproduct of automation is stronger, timelier, and data-driven reporting, which should be dynamic and allow you to drill down to identify trends. This also allows your testing resources time to focus on exceptions and conduct root cause analysis, so you can thoroughly fix any identified issues and prevent reoccurrence.

    If you aren’t acting on that information, then why are you generating it? Finding and sitting on an issue only lands you in the hot seat with regulators. Effective testing routes those issues through the appropriate governance channels to resolve.

When you invest the appropriate time, energy, and resources to doing this correctly, automated testing will increase your consistency and efficiency, as well as allow you to monitor more processes, whether they are business-as-usual or newly launched into production. The resulting reporting, which replaces your manual paperwork, also plants the seed for a more comprehensive audit trail, which ultimately adds another layer in reducing risk.

Effective testing automation blends risk management and data analysis expertise. Our team, culled from the nation’s top 50 banks, can help you develop a comprehensive strategy and tailored implementation plan to automate your testing, which will elevate your efficiency, accuracy and efficacy to levels demanded by customers and regulators alike, not to mention boosting shareholder confidence that you’re doing the right thing. Download our testing automation one-page guide for tips (and a succinct explanation for internal buy-in) on getting started.