To be the best-in-class product, you need to be able to read the market, understand what your customers truly want, and ensure financial security for customers.
It’s essential that risk and product teams collaborate at various stages of the process, from planning, to design, to development, and even through analysis and adjustments.
To help you instill a constructive, cooperative environment for risk and product teams, we’ll explore what a collaborative risk culture is, why it’s so important for product development and organizational growth, and how risk teams can contribute to the success of the product team.
A collaborative risk culture is a company culture that promotes cooperation between risk and compliance teams and other critical departments throughout the operation lifecycle. It involves including Risk and Compliance teams in product development and design.
Ultimately, it encourages companies to make fraud and AML compliance a core part of their operations and ensure that all team members - not just Risk and Compliance professionals - consider risk management when designing and developing their product. Looking at FRAML as interrelated helps companies streamline their operations and get the best level of protection for customers (and their product).
Without the proper backing from upper management, risk teams fail to reach their full potential - costing the business success in the process. To get the most value out of a product, companies need to leverage their teams in the best ways possible.
Unfortunately, many companies think in very traditional ways, relying heavily on manual systems to manage operations, siloing product and risk teams, and creating separate workflows (and in the process, added work). Subsequently, risk professionals are often not integrated into the process as early as they should be, or included in tasks that are ‘not within their scope’. This causes companies to lose out on added value, optimization, and overall performance of the product.
Having a collaborative risk culture allows businesses to tap into vital information at different product development stages, helping to deliver a better final product and adjust to what customers want - all while keeping the organization secure. It allows both teams to streamline their process, and eliminates the need for both product and risk teams to consistently adapt to what the other does. With both on the same page, they can work in parallel, saving time and cutting costs of compliance operations.
Too often, risk and compliance is an afterthought.
Engineers are given broad requirements by compliance professionals (usually without a Compliance product or program manager as an intermediary) with unspoken expectations that best practices for fraud are incorporated during the technical design phase. However, this lack of clarity in communication usually results in adequately compliant Fraud/AML systems that fall just short of industry-defined best practices. Furthermore, this creates a dependency on engineering to resolve issues if any arise, or update existing frameworks as regulations change.
Case in point: Imagine that an internal engineering team maintained an internal OFAC list or match list of some sort, and either geopolitical or sanctioned criminal activity occurred, which took the internal team weeks to update due to competing priorities, leaving your entire system susceptible to attacks in the interim.
Incorporating risk and compliance teams earlier on in the process can yield a host of benefits.
To help us explain each point, we’ll use an example throughout this entire article.
The product team is developing a new feature that would allow $50,000 in a single transaction, and give immediate availability.
Obviously, a feature like this is great from a product or sales perspective, as it would likely see significant traction and interest from consumers. However, it’s also enticing to fraudsters, as it gives them extensive availability of funds with a short waiting period.
Product teams, by nature, think about enablement; with that in mind, they often see ‘the perfect customer walking the perfect path’, which in practice, is often not the case. Without input from the risk and management team throughout the build process, a feature like the above could force the risk management team to be reactive (rather than proactive). Instead, it’s best to give risk and compliance teams the chance to offer input before the product is built, so they can offer insight that will impact design and development.
Risk and compliance professionals have unique insights that the product team may not consider; what are the actual risks of the features entering the product ecosystem for that business? What’s the potential liability and risk exposure?
Let’s look at how risk and product teams should collaborate (using the example above).
1. Risk teams can identify challenges or risks with adding a new feature/product to your ecosystem
Risk management teams will have good insight into the risks associated with integrating the new feature into your product. They’ll know not only broad threats that the new feature poses in terms of liability and risk, but they can do an in-depth risk analysis to look at your company's exposure and the immediate threats you’re likely to face.
Depending on how your customers behave, Risk & Compliance teams can determine whether the feature is a high risk for your platform, regardless of whether it seems risky at face-value.
Risk & Compliance teams will understand that allowing immediate availability to $50,000 will leave the company exposed to significant risk and liability, no matter what the customer behavior is. Even only a few incidents of fraud would leave the company exposed to immense financial risk.
Risk management extends far beyond just transactions; it can include identity verification at the point of onboarding, customer due diligence, and behavioral analytics. Features can impact security in various ways, and many risk processes could be required of the risk team, so aligning the two is extremely important for ensuring security is adequately addressed.
2. Risk teams can help product teams determine how a feature may be abused
When their expertise is tapped early on, risk managers can help product teams understand how a feature could be abused by fraudsters - or even customers. They’ll also be able to identify how both of those groups would commit fraud, and how those attempts will differ.
Even more importantly, they can predict how a feature is likely to be abused based on current fraud and money laundering trends, previous user behavior, and experience in the field. Risk professionals will know what flaws to look for, and can help the product team develop a feature that is less likely to be exploited.
Risk & Compliance teams will see that this feature will attract fraudsters looking to exploit immediate access to funds. Regardless of how difficult it is for criminals to be successful in their attempts, the allure of a high-value transaction will be enticing enough to draw serious and numerous attempts at fraud.
3. Risk teams can help product teams determine if a new feature is a good market fit for your customers
While Risk & Compliance teams aren’t often thought of as product developers themselves, they have detailed insights into customer behavior - specifically how customers (and fraudsters) use the product (and various features).
This information can be leveraged by product teams to better understand how customers use certain services, and which features customers want (or could benefit from) most. They may even have insight into which features or products are an ideal fit for customers, based on how products are being used.
If the average customer transaction is $700, Risk & Compliance teams will know that a feature enabling $50,000 in a single transaction is unlikely to be used by your existing customers. In this case, you’re serving fraudsters more than you are your actual customers (and the feature probably carries more risk than it provides benefits to your users).
Risk and Compliance teams would have an idea of this behavior, and be able to help steer the product design and development process to fit the company’s customer-base.
4. Risk teams can look toward the future implications of new capabilities/features
In many cases, product developers design a product, feature, or capability for a customer at a specific point in time; it solves an immediate, short-term problem. In many cases, these short-sighted decisions may not be the best long-term decision (or use of resources). These solutions can also be hyper-focused on a specific customer’s use case, and fail to meet the needs of other customers.
Risk and Compliance professionals have good insight into how the same customer can use a feature at different points in time - rather than a single use case. Instead of having to build multiple features, you can build one that can be used effectively in a few ways.
The Risk & Compliance team may suggest steering clear of a product so focused on the $50,000 transaction limit, instead recommending a scaling value based on customer behavior. By reevaluating and adjusting the framing of the service altogether, they can limit the appeal to fraudsters. Taking the $50,000 ‘price tag’ that criminals see may drastically mitigate the potential for the feature to be abused or the actual risk exposure the company could face.
5. Risk teams can look at ways of offering tiered access to services
As we’ve seen, the risk team can explain - and back up with customer behavior - why a feature may not be viable. Alternatively, they can provide insight into how the feature can be set up to limit risk and liability. A great way of doing this is by regulating the use of features, and restricting and enabling access to certain capabilities.
This can be used to create a roll-out of a feature to customers that factors in - and actively mitigates - risk. Features can be extended to customers, and then over periods of time or based on good behavior and standing with the financial institution, this base feature can have limits removed. Common ways financial institutions do this is by increasing transaction limits on banking services or products, increasing the availability of funds, and reducing the length of hold days on the transactions.
Risk & Compliance teams may recommend limiting access based on a customer's tenure with the company, greatly limiting exposure as fraudsters have to be consistent customers to be able to engage in fraud. It eliminates immediate access and de-incentivizes criminals.
Another good option could be restricting the availability of funds, offering customers a portion immediately with the remainder being released after a holding period. This could also be done in a tiered manner based on customer tenure or behavior. Customers with 6 months or 10 completed transactions in good standing could be given access to $1,000 immediately; customers with 1 year or 30 completed transactions in good standing could be given access to $2,000 immediately, and so on.
As you can see, what seems like a straightforward feature can be adjusted in many ways to regulate risk for different customers. This allows companies to offer the best, most competitive services to their customers while effectively balancing risk management.
Ultimately, this comes down to looking at how the same customer can use the same product or feature at different points in time throughout their life cycle. To do this, companies will need to segment customers (typically based on their behavior and tenure with your company).
Now that we know why it’s so important for risk teams to collaborate throughout the entire product lifecycle, let’s look at the top 3 tips and strategies for effectively collaborating.
1. Include an internal review step for risk management teams early in product/feature development
Let’s start with the first (and arguably most important) rule; risk managers should be given a chance to internally review the feature or product early in the product development process.
Incorporating the Risk & Compliance team in the design process will give Risk & Compliance teams the chance to provide input before the product is put into development. This can save significant time on product development and alterations. They can build the product with risk considerations in mind, and can even avoid some glaring issues that may have been overlooked. The Risk & Compliance team offers a unique perspective that is valuable not just after product development, but before and during as well.
2. Keep an open and transparent line of communication
Open and honest discussion throughout product design and development is critical to product success. Without both teams working together towards the same end, companies will struggle to deliver the final product they intend.
The product team should have numerous points of contact throughout the process, not only to make sure they hit the mark with the final product, but also to streamline operations along the way. Make sure that risk teams are given a say at critical points in the design and development process, and ensure teams feel comfortable speaking candidly. If teams don’t have good rapport and aren’t comfortable sharing critical issues with the product, the product will fall short.
3. Review product development processes for the best places to get input from the risk team
Remember, you can always improve on your product (and the processes that bring that product to life). Consistently review product development processes and look to identify the best point in the process to get feedback from risk teams. This can include adding opportunities for feedback from the risk manager, but it also means streamlining the process to give the risk team the greatest potential for meaningful impact (while still limiting interactions between risk and product teams to keep them working on their other objectives).
Be careful not to discourage collaboration in this way; instead, the aim is to get the most value out of the time product and risk teams spend together.
Risk Teams Can Identify Potential Abuses and Exploits of New Features and Products
Risk teams have a unique lens at how customers use your product and features. Professionals can be leveraged not just to manage risk, but to help the product team with planning and executing their vision.
More importantly, proper communication can streamline operations by aligning on goals early on and working cohesively towards the same goal. Risk teams have an eye for how features are likely to be abused, how they fit within your product ecosystem, and the overall risk and liability associated with specific features.
Onboarding orchestration that verifies customer identities and transaction monitoring that can detect anomalies are great features for financial service risk teams to use (no matter the use case!).