Sultan Meghji – Duke University, Carnegie Endowment for International Peace, Bretton Woods Foundation (former Federal Deposit Insurance Corporation)

Nick Reese – George Washington University & Department of Homeland Security

Jack Speer – Johns Hopkins University, National Public Radio & SAG-AFTRA

Executive Summary:

The 4 authors are excited to have seen the OCC call for papers as it relates to emerging risks in the banking system. These kinds of questions are key to the ongoing process of maintaining the safest and sound banking system in the world and maintaining the leadership of the United States in the global banking system. This is a massive question and we have tried to focus on a specific set of areas that we believe are both the most critical as well as the easiest to directly address inside of existing statutes and authorities for the OCC.

Contents:

1. Executive Summary
2. Risk Context and Scalability
3. Changes in Risk Landscape
4. Changes in Banking Landscape
5. Communications
6. Cybersecurity
7. Quantum Computing
8. Artificial Intelligence
9. Conclusion

1. Executive summary

We should first point out that there is a myriad of risks in the banking system already, and we specifically chose to not include them, leaving the system in, in our opinion, a far more precarious place than most people realize. The strength of the full faith and credit of the United States of America has, until now, been more than enough to offset those risks. Today, it is the author’s view that we are beginning to see the limitation of that as an absolute and now more a function of an overall risk discussion that is not fully quantified or even understood in the sector.

Second, we feel that the overall banking and risk landscape is worth calling out in some degree of detail beyond purely the technical changes. From concentration risk to geopolitical risk to other macroeconomic trends, we see the landscape as being more in flux now than at any other point since the era of Bretton Woods at the end of the Second World War.

Third, we have specifically picked areas both of immediate need as well as those with timelines that require attention in the very near future. In terms of specific functional risks, we see the coming evolutions in Artificial Intelligence, Cybersecurity, and Quantum Computing as most impactful in the medium and longer term.

Finally, we should highlight that we do not consider the current iteration of crypto as a strategic risk to the banking sector. Web3 will, without doubt, completely remake the technical landscape of the financial sector, but given the current White House programs (and we include the various regulatory bodies’ enforcement actions as an extension of that), we do feel it is worth including crypto in this document. Wholesale technology replacement will eventually happen, but broader shocks to the system as well as significant reallocation of resources will have to occur first.

2. Risk Context and Scalability

Any call for papers on emerging risks to the financial sector will certainly contain references to technological risks, specifically issues such as quantum, cyber, and artificial intelligence (AI). Those three issues are in fact risks to the financial sector and are deserving of mention in any emerging risk conversation. To be certain, those three specific technologies are discussed here, but the distinguishing factors that make this emerging risk discussion unique from others are how convergence and context make those risks more specific and actionable. Further, the ability to model risk in a way that allows for a more accurate and timely view of how convergence and context impact emerging risks creates a novel approach reflective of the speed and complexity of the risk environment. Simply identifying cyber or quantum or AI as risks is too vague to be able to direct meaningful changes to OCC’s core mission functions. However, identifying specific risks on informed timelines creates space for planning, entrance into budget cycles, formation of partnerships, and research and development.

Great power competition (GPC) is a phrase often used but infrequently defined. It refers to the current geopolitical environment where emerging technology is the primary asset driving national policy decisions and expenditure of blood and treasure globally among nation-state powers. This era is defined by a constant state of cyber warfare, weaponization of information, exponential technology growth, and dynamic economic conditions. The combination of these four conditions drives an emerging risk environment that requires scalability to identify, analyze, and mitigate risk. The state of the geopolitical environment including relationships between nation-states is a dynamic issue with a direct correlation to the aggressiveness and volume of cyber risks as an example. This reality necessitates a risk approach that fully considers the context around current risks to aid in understanding emerging risks. That context includes the geopolitical environment but is incomplete without additional scalers covering the legal/regulatory environment and the state of the economy. Together, these three factors provide a broad context within which emerging risks can be identified and mitigation methods can be created and applied.

1. Geopolitical Environment
2. Financial Legal/Regulatory Environment
3. Status of the Economy

Putting risk in the proper context is a first step but is incomplete without the ability to apply adjustments that reflect real situations. The risk scalers can be thought of as defining the scale on which emerging risks can be plotted both in terms of the level of risk of an activity and risk acceptance. How much risk a particular piece of technology may present to OCC is directly proportional to the geopolitical environment, financial legal/regulatory environment, and the status of the economy; all of which are dynamic factors. When deciding the level of risk presented by quantum computing, it is insufficient to base that assessment only on the status of the technology at that moment and a greater miscarriage to assume that initial risk assessment will continue to be valuable into the future. Instead, a risk assessment must allow for changes to the context in which risk decisions are made. In this way, emerging risks can be evaluated over time with the understanding that how they evolve will change.

Emerging risk will mean something different a year from now than it does today, which is why risk should be evaluated on a scale that reflects the most important contextual factors and allows for adjustments as the context changes. To illustrate this thesis, the next two sections will review changes in the banking and risk landscapes. The three sections that follow will demonstrate how those landscapes combined with the scaler approach inform the perception of emerging risks. Finally, the last section will provide a proposal for OCC consideration to operationalize this approach.

While this section is mostly focused on the more emergent areas of Risk as it relates to the banking system, we also will, at various points, highlight more strategic macroeconomic risk. Key areas that will be highlighted include Global Reserve Currency, Financial Rails/Infrastructure, Strength of the US Dollar, and Immigration.

3. Change in the Banking Landscape

The changes to the banking landscape over the last few years cannot be overstated. From the ongoing decrease in the number of banks to the atrophied depository growth outside of the largest 50 banks to the move to fintech for consumer-facing financial services, there is much in flight. Here we will focus on four specific areas of change that we think constitute the largest increases in risk:

1. Workforce technical acumen and age. The aging workforces in the banking system (from the staff at the institutions to the regulators to the legacy technology companies) are inexorably moving these institutions towards higher risk on a daily basis. The joke amongst the bankers was that 10 years ago the average age of a bank CEO was 65 and the bank chairman was 70, and today the bank CEO is 75 and the chairman is 80. While a hyperbolic joke, it is not too far from the truth. When the workforce atrophies, it becomes a significant challenge to adjust to outside pressures, with technology being one specific area.
2. Legacy technology in the system and the dysfunctional nature of technology contracts. The vast majority of banking Cores in the system are >10 years old. As such the cost to maintain, ability to maintain, and integrate as well as broader cybersecurity risks is increasing on a daily basis. Coupled with the prohibitive costs of the licensing contracts, terms and lack of investment in technology lead to an ever-aging enterprise technology environment. Newer technologies are being used exclusively in fintech and crypto – the ability for ‘challenger cores’ to launch is nearly non-existent. The significant concentration risk of 3 companies controlling over 85% of this market also cannot be overstated.
3. Investment outside of the banking system in banking services and technologies. Inside the banking system, over 50% of the technology spent per year is on maintenance, not on new products, services, or technologies. If you leave the banking system, banks are being significantly outspent by others in these same areas. For example, the Starbucks app holds a significant amount in deposits but is not considered a bank, or a fintech is not regulated as one. Starbucks spends orders of magnitude more than most banks’ entire IT budget on that app.
4. Massive growth in payment, credit, and lending platforms outside of the banking system. The gray areas and cracks in the systems are being routinely exploited by non-bank players – from Buy Now Pay Later to a variety of payment platforms that are implied to be ‘compliant’ but in most cases only are PCI compliant from one non-bank actor to another.

4. Changes in the Risk Landscape

The concentration of commercial banks in the US, i.e. the top 1% having the majority of deposits, poses significant risks to the financial system, which has been realized several times in just the past two decades.

Systemic Risk

A small number of large banks can pose systemic risks to the financial system if they experience distress.  The failure of a single large bank can trigger a chain reaction and cause other banks to fail, leading to a widespread economic crisis.

Too Big to Fail

The largest banks in the US are considered “too big to fail” because their failure would have significant negative impacts on the financial system and the broader economy.  As a result, these banks may engage in risky behavior, knowing that the government is likely to bail them out in the event of a crisis, i.e. TARP, PPP “loan” payments, etc.

Limited Competition

A concentration of banks limits competition in the industry, reducing true customer choice and potentially leading to higher prices and lower-quality services.  This has also led to increased market power for the largest banks, giving them the ability to set prices and influence market conditions, e.g. the current delta between 30-year mortgages and the 30-year Treasury.

Lack of Innovation

A lack of competition has stifled innovation in the banking industry.  A few large banks dominate the market and are less inclined to invest in new technologies and services, since there is little or no customer choice. It should also be noted that the capabilities in local and regional economic development from smaller state banks far exceed that of the larger national banks and the overall lack of innovation is having a broader negative impact at the ‘main street’ level.

Regulatory Capture

A concentration can lead to the risk of regulatory capture, where regulators are influenced by the largest banks and may be reluctant to enforce regulations. This leads to lax oversight of the industry, misconduct, and fraud.

Overall, while a concentration of commercial banks in the US can provide certain benefits, such as economies of scale, this poses significant risks to the financial system and the broader US economy.

5. Role of Communications in Ameliorating Risk

Systemic risk in global banking and financial markets is nothing new. In fact, the risk caused by external shocks or unanticipated events is endemic within the system and has been around for decades. While emerging technologies may amplify risks, they are just one factor. For example, much is made of the so-called “Black Swan” events popularized by author Nicholas Taleb. Taleb recounts the 1987 stock market crash as such an event. However, pressures had been building in the financial system for some time leading up to the market freefall, at the very least making such a crash more likely. And Taleb himself notes there are “narrated” Black Swan events… those already present already in the current discourse. And the type “nobody talks about since they escape models.”

So,  if we know such events are likely to occur at any given time, and in many cases, we have documented a high degree of likelihood, why is there still a lack of preparedness in place and what is the role of the communicative process in ameliorating risk? This is an area where I believe OCC and other financial regulatory bodies need to be more intensely focused.

In their article for the Federal Reserve Bank of New York, “ Cyber risk and the U.S financial system: A post-mortem analysis”, the authors note a cyber-attack could be “amplified” through the financial system, where “ estimated spillovers of an attack on one of the five most active banks…impair 31% of the network on average” on any given day.  The authors further state, “The top five most active banks in the payment system account for close to 50% of total payment”

Hackers have stolen billions from banks, including the so-called “Bangladesh Bank Robbery”, where dozens of fraudulent instructions were carried out through the SWIFT network in 2016. While most were ultimately blocked by the Federal Reserve Bank of New York, more than $100mil of an estimated $1bil was illegally transferred to Sri Lanka and the Philippines, some of which remains unrecovered. Future heists with the advent of ever more powerful computing systems are virtually inevitable.

In his analysis “ Threat and Risk: What is the Difference and Why Does it Matter?” David Strachan-Morris makes the argument that since 9/11 “ the terms ‘threat’ and ‘risk’ have entered the daily lexicon to a greater extent than ever before.”

So while a great deal has been written about financial risk and efforts to reduce such risk, much less time has been devoted to the reputational effects these types of incidents have on financial institutions. I would argue that communications and crisis preparedness play an important role in ameliorating some of the fallout from these events, in conjunction with the continued hardening of existing systems and vigilance on the part of regulators including the OCC.

6. Cyber

A cyberattack against an element of the financial sector is hardly an insightful analysis of risk, but because it is known makes it is no less relevant. One defining characteristic of GPC is the constant state of cyber warfare between nation-state actors and their proxies. While it will come as no surprise that cyberattacks are, and will remain, significant risks of primary concern to OCC, the specificity and timing of cyberattacks are more important. Cyber actors may operate with the explicit material and policy support of nation-states giving them access to sophisticated resources and a safe harbor from which to launch attacks. Defenders are at more of a disadvantage than ever as they face threats from well-funded and resourced cyber actors underscoring the importance of knowing when cyber threats are most likely and under what conditions.

An excellent example of applying this kind of risk scaling was the “Shields Up” campaign launched by the Cybersecurity and Infrastructure Security Agency (CISA) at the outset of Russia’s invasion of Ukraine. The messaging was that geopolitical events were such that cyberattacks against particularly valuable targets were increasingly likely. To be sure, the implication was not that normally organizations could exercise mediocre cybersecurity and at this particular moment needed to exercise world-class cybersecurity. In a sense, the shields should always be up. However, this was a signal to cybersecurity professionals and leaders that the context changed and with it the risk.

Learning lessons from this campaign, OCC can designate specific and dynamic factors that define the context of its risk picture. Once the structure is built, an initial state of risk can be identified and serve as a baseline. When conditions change, the structure changes providing scalability to the risk picture that captures real conditions. In the cyber context, what forces are at play that might increase (such as Russia’s invasion of Ukraine) or decrease (such as the takedown of LAPSUS$) the likelihood of a major coordinated cyberattack against the financial sector?

The second part of the picture is evaluating the convergence of other emerging technologies with cyber capabilities. Convergence is when two or more technologies combine to create a capability that is exponentially more powerful and impactful than any of them would alone. Cyber is particularly prone to significant swings in its risk perception due to geopolitical context and convergence.

Combining the risk scaler approach with a systematic evaluation of technology convergence makes the evaluation of emerging cyber risk actionable and operational. The strategic view of cyber as both an emerging and emerging risk is settled. The next frontier of emerging risk evaluation is how quickly risks can be recognized and actioned. This approach prioritizes action.

7. Quantum

Quantum information science (QIS) is a multidisciplinary scientific field that uses the properties of sub-atomic particles to represent and manipulate information. The specific field of quantum computing is an area of increasing innovation with the potential to create significant risk to the financial sector. A 2023 insight report published by the European Patent Office stated that the number of inventions in the field of quantum computing has multiplied over the last decade and that quantum computing inventions have outpaced all other fields of technology in terms of growth. A quantum computer of sufficient capacity called a crypto analytically relevant quantum computer (CRQC) will be able to break asymmetric encryption methods in common use for electronic communications and financial transactions. While the risk to encryption is known, the context around the risk creates the true narrative of the nature of this emerging risk. A CRQC is a technology with state power implications that is emerging as a race between geopolitical competitors. A CRQC in the hands of an adversary would present one of the most significant cybersecurity challenges ever faced and following the pace of development for a CRQC is challenging and imperfect. China made quantum computing leadership a key point of its strategy as laid out in its 14th Five-Year Plan. Specifically, China aims to be able to manipulate over a hundred coherent qubits by 2025. While that goal does not, by the most widely accepted estimates, get China a CRQC, there can be no doubt of its intent. A CRQC in the hands of an adversarial nation-state is rightly classified as an emerging risk, but understanding how and at what speed it is emerging takes a scalable approach.

China’s progress in creating a CRQC, and thus how it would impact the US financial system, is a product of the geopolitical environment and availability of accurate information. Chinese relationships with regional and global partners and its ability to acquire critical materials are key factors driven by the geopolitical environment. The quantum program in China is almost entirely state-run and includes a few select universities so what progress it self-reports will make an imperfect indicator of its true progress. Simply labeling quantum computing as a risk is vague and unhelpful to drive meaningful change in the financial system. Instead, quantum computing can be narrowed to the availability of a CRQC by an adversary nation before the transition to post-quantum algorithms is complete. That risk can be further defined by applying the relevant context and applying the relevant factors to understand more about the emergence of this risk. Consistent updating of the risk environment through adjustable scalers gives a more accurate, timely, and actionable risk picture. Over time, the risk scale and adjustments made can be plotted as a time series visualization providing a more accurate aggregate representation of quantum risk.

8. Artificial Intelligence

First a table-setting comment – there is no Artificial Intelligence in the banking system; in fact, there is no artificial intelligence operational yet in our civilization. Artificial Intelligence is a category of a multitude of distinct technologies – from simple dynamic programming (which has been the banking system since before the year 2000) to the most cutting edge Natural Language Processing (like ChatGPT) and Machine Learning (such as is used in the current state of the art risk identification systems in the money laundering space). No artificial intelligence exists that is making significant quantifiable lending decisions as another example. A far better descriptor would be advanced algorithms.

Second, over the coming years, we will see the largest expansion in the use of advanced algorithms in the banking sector. Those algorithms will mostly be consolidated into two categories of actors – first, the fintech scattered around the banking system, and second inside of the largest 100 banks in the United States. Those algorithms have a number of specific relevant uses:

1. Automation of processes – in lieu of the legacy technology that no bank can afford to completely replace, and in a regulatory environment resistant to that kind of wholesale change, coupled with a significant human capital shortfall, we are seeing massive investment in these systems as automation tools. While the vast majority of these automatons have the highest value in the back office of banks, we are seeing it creep into the retail and front of the office side. Automation of back office functions is fundamentally not risky, and in most cases actually decreases the risk by enforcing standardization of process (for example more consistent math applied to SARS). On the retail or front office side, this is the inverse. Given that most of these technologies are coming from advertising and social media platforms, inherent bias is easy to diagnose. In the medium term, we expect to see significant differentials in customer identification, vetting, and onboarding that bypass the existing regulatory guidance and standards and cause a non-trivial impact on significant at-risk populations in the United States. In this case, AI is a ‘band-aid’ relative to the banks actually updating their Core systems to modern standards.
2. Customer interactions – the current massive expansion of natural language processing systems (like ChatGPT) has the opportunity to create another layer between customers and their institutions. Beyond the inherent technological capability bias that such a system implies, the lack of a thoughtful regulatory regime will leave most regulators in a position to simply not allow such systems – in essence throwing the baby out with the bathwater. Here we have a significant risk in ensuring equal, fair, equitable access to the banking system.
3. Identification of risk – the current manual risk management processes most banks employ in the United States are rife with issues – from simply missing things to the ability of the individuals responsible to knowingly allow activities in the banking system that should not be there. Utilizing AI to standardize the risk management processes and focus risk management staff on auditing of such activities ameliorates two significant issues. First, it appropriately improves the quality, consistency, and efficiency of the risk management processes. Second, it assists with the significant human capital shortfalls most banks are currently facing – and which will only get worse in the coming decades. Hostile actors are already making significant use of these technologies and without them in use, the potential for hostile actors to have meaningful impact increases.
4. Deep fakes are currently being used in a variety of significant ways to gain access to the banking system – from impersonating customers (including one of the authors of this paper recently) to causing market volatility by inserting noise into social media platforms – an extension of the kinds of election interference we have seen over the last 15 years, but systematized, scaled and commoditized. It is now possible to deep fake someone with an investment in hundreds of dollars. Imagine the scale of spam email, but applied across nefarious attempts to compromise bank accounts and you get a sense of the potential medium-term risk.

Third, given the inability of a comprehensive policy set to come from the Executive and Legislative branches in the near terms, the regulatory community will undoubtedly fall on ‘regulation by enforcement’ in the area of AI, making broad statements about the risks of using AI (similar to some of the guidance recently coming from the various regulatory bodies around crypto). However, unlike crypto, with AI there are far broader positives that these technologies can apply. Above we highlighted 3 that we believe are the most relevant in terms of potentials for introducing risk – both if not done, especially if done poorly. Regulating “AI” is both impossible and a waste of time. Our suggestion would be to work backward from what success is considered… AI should not introduce any unmanaged new risk, and hopefully, it should reduce risk. This lack of policy and the potential for actions by the federal government to a misstep is in and of itself a significant risk. A set of smaller specific guidance actions, such as requiring any algorithm that makes a credit or lending decision to be both ‘deterministic’ and ‘transparent’ would do far and away more good than a broad regulation on not using “AI” for credit or lending decisions.

As a bit of a tangent – we specifically used the words Algorithm, Deterministic and Transparent. Determinism says that all events in a system are ultimately determined by causes regarded as external to the will – which would alleviate the ability for bias to be included in such a system (we do not feel the need to define algorithm or transparent as they are broadly obvious, we do not know how many philosophy majors would read this document). Determinism is key – it creates in the builders of such technologies as we are discussing here a design requirement. A parallel would be in security by design – the type of encryption is (broadly) irrelevant as long as it is secured, complies with standards, and is auditable. The same we think will be true here – standards around AI will eventually be built – in this window where they do not yet exist, outcomes-based rules are a useful starting point.

9. Conclusion

Here the authors have attempted to lay out what, to us, are the most meaningful areas of potential risks in the system and coming in the medium term. In an attempt at brevity, we have limited this document to its current length, but offer the opportunity in any forum requested to continue the discussion – especially in the areas of AI, Cyber & Quantum. In all three cases, we see significant risk, but also a significant opportunity to ameliorate risk and extend the capabilities of the banking system.

At a global level, we believe the greatest threats to the American banking system are myriad ways in which the global economy is moving away from the US Dollar. From the PRC’s moves to create retail and other consumer payments activities in Africa, to new financial hubs growing with a multi-currency worldview instead of one focused on the US Dollars as the dominant global reserve currency, we encourage all to ensure that innovation is allowed to flourish to ensure that the US Dollar continues to be the currency of choice globally for countries and companies.

We applaud this project by the OCC and hope to see it and others in similar veins be successful.