Martin Leo * , Suneel Sharma and K. Maddulety

risks

Article

Machine Learning in Banking Risk Management:
A Literature Review

Martin Leo * , Suneel Sharma and K. Maddulety

SP Jain School of Global Management, Sydney 2127, Australia; [email protected] (S.S.);
[email protected] (K.M.)
* Correspondence: [email protected]; Tel.: +65-9028-9209

Received: 25 January 2019; Accepted: 27 February 2019; Published: 5 March 2019
����������
�������

Abstract: There is an increasing influence of machine learning in business applications, with many
solutions already implemented and many more being explored. Since the global financial crisis,
risk management in banks has gained more prominence, and there has been a constant focus around
how risks are being detected, measured, reported and managed. Considerable research in academia
and industry has focused on the developments in banking and risk management and the current
and emerging challenges. This paper, through a review of the available literature seeks to analyse
and evaluate machine-learning techniques that have been researched in the context of banking risk
management, and to identify areas or problems in risk management that have been inadequately
explored and are potential areas for further research. The review has shown that the application of
machine learning in the management of banking risks such as credit risk, market risk, operational
risk and liquidity risk has been explored; however, it doesn’t appear commensurate with the current
industry level of focus on both risk management and machine learning. A large number of areas
remain in bank risk management that could significantly benefit from the study of how machine
learning can be applied to address specific problems.

Keywords: risk management; bank; machine learning; credit scoring; fraud

1. Introduction

Since the global financial crisis, risk management in banks has gained more prominence, and
there has been a constant focus on how risks are being detected, measured, reported and managed.
Considerable research (Van Liebergen 2017; Deloitte University Press 2017; Helbekkmo et al. 2013;
MetricStream 2018; Oliver Wyman 2017), both in academia and industry, has focused on the
developments in banking and risk management and the current and emerging challenges. In tandem,
there has been a growing influence of machine learning in business applications, with many solutions
already implemented and many more being explored.

McKinsey & Co highlighted that risk functions in banks, by 2025, would need to be fundamentally
different from what they are today. The broadening and deepening of regulations, evolving customer
expectations and the evolution of risk types are expected to drive the change within risk management.
New products, services and risk management techniques are being enabled through the application of
evolving technologies and advanced analytics. Machine learning, identified as one of the technologies
with important implications for risk management, can enable the building of more accurate risk models
by identifying complex, nonlinear patterns within large datasets. The predictive power of these models
can grow with every bit of information added, thus enhancing predictive power over time. It is
expected that machine learning will be applied across multiple areas within a bank’s risk organisation.
Machine learning has also been recommended as an initiative that could help in the transformation of
the risk management function at banks.

Risks 2019, 7, 29; doi:10.3390/risks7010029 www.mdpi.com/journal/risks

http://www.mdpi.com/journal/risks

http://www.mdpi.com

https://orcid.org/0000-0001-6091-6959

http://dx.doi.org/10.3390/risks7010029

http://www.mdpi.com/journal/risks

https://www.mdpi.com/2227-9091/7/1/29?type=check_update&version=2

Risks 2019, 7, 29 2 of 22

The paper seeks to study the extent to which machine learning, which has been highlighted
as an emergent business enabler, has been researched in the context of risk management within the
banking industry and, subsequently, to identify potential areas for further research. The aim of this
review paper is to assess, analyse and evaluate machine-learning techniques that have been applied
to banking risk management, and to identify areas or problems in risk management that have been
inadequately explored and make suggestions for further research.

To determine the risks specific to banks, as an alternate to leveraging on existing literature,
this paper provides a taxonomy of risks that is developed based on a review of bank annual reports.
An analysis of the available literature was carried out to evaluate the areas of banking risk management
where machine-learning techniques have been researched. The research evaluated the risk areas where
machine learning has been implemented in the risk types and the specific risk methodology they
addressed. The analysis also identified the machine learning algorithms being used, both for specific
areas and in general.

Section 2.1 provides an overview of risk management at banks, the key risk types and risk
management tools and methodologies. Section 2.2 gives a quick introduction to machine learning
and its use. Section 3 begins by providing an overview of the research methodology. The section
further examines the existing research around the application of machine learning in the management
of risk at banks. It provides an analysis of the areas where the application of machine learning has
been studied, highlighting areas where there is little to no academic study. Section 4 discusses the key
observations from the review, stressing the potential challenges and topics that could be addressed in
the future. Section 5 summarises the general findings from the study. The paper concludes by listing
additional areas or problems in banking risk management where the application of machine learning
can be further researched.

2. Theoretical Background

2.1. Risk Management at Banks

The bank’s management’s pursuit to increase returns for its owners comes at the cost of increased
risk. Banks are faced with various risks—interest rate risk, market risk, credit risk, off-balance-sheet
risk, technology and operational risk, foreign exchange risk, country or sovereign risk, liquidity risk,
liquidity risk and insolvency risk. Effective management of these risks is key to a bank’s performance.
Also, given these risks and the role that banks play in financial systems, they are subject to regulatory
attention (Saunders et al. 2006). The regulators require banks to hold capital for the many risks that
arise and are carried due to a bank’s varied operations. The Basel standards for the determination of
capital requirements were developed in 1998, and since then, have developed and evolved. Capital is
required for each of the main risk types. Credit risk has traditionally been the greatest risk facing banks,
and usually the one requiring the most capital. Market risk arises primarily from the trading operations
of a bank, while operational risk is the risk of losses from internal system failures or external events.
In addition to calculating regulatory capital, most large banks also calculate economic capital, which is
based on a bank’s models rather than on prescriptions from regulators (Hull 2012). The main risks
that banks face are credit, market, and operational risks, with other types of risk including liquidity,
business, and reputational risk. Banks are actively engaged in risk management to monitor, manage
and measure these risks (Apostolik et al. 2009).

Market risk can be defined as the risk of losses “owing to movements in the level or volatility of
market prices” (Jorion 2007). Market risk includes interest rate risk, equity risk, foreign exchange risk
and commodity risk. Interest risk can be defined as the potential loss due to movements in interest
rates. Equity risk can be defined as the potential loss consequent to an adverse change in the price of a
stock. Foreign exchange risk can be defined as the risk that the value of the assets or liabilities of a
bank changes due to fluctuations in the currency exchange rate. Commodity risk can be defined as the
potential loss due to an adverse change in the price of commodities held. The market risk framework

Risks 2019, 7, 29 3 of 22

of the Basel accord consists of an internal models approach and a standardised approach. To capture
tail risk better, the revised framework also saw a shift in the measure of risk under stress from the
Value-at-Risk (VaR) to Expected Shortfall (ES) (Basel Committee on Banking Supervision 2006).

Credit can be defined as the risk of potential loss to the bank if a borrower fails to meet
its obligations (interest, principal amounts). Credit risk is the single largest risk banks face
(Apostolik et al. 2009). The Basel Accord allows banks to take the internal ratings-based approach
for credit risk. Banks can internally develop their own credit risk models for calculating expected
loss. The key risk parameters to be estimated are probability of default (PD), loss given default (LGD)
and exposure at default (EAD). Expected Loss = P D × LGD × EAD (Basel Committee on Banking
Supervision 2005a, 2005b).

Liquidity risk, treated separately from the other risks, takes two forms—asset liquidity risk and
funding liquidity risk. A bank is exposed to asset-liquidity risk when a transaction cannot be executed
at the prevailing market prices, which could be a consequence of the size of the position relative to the
normal trading lot size. Funding liquidity risk refers to the inability to meet cash flow obligations, and
is also known as cash flow risk (Jorion 2007). Banks are required to establish a robust liquidity risk
management framework that would ensure sufficient liquidity is maintained, including the ability to
withstand a range of stress events. A sound process for the identification, measurement, monitoring
and control of liquidity risk should be implemented (Basel Committee on Banking Supervision 2008).

Operational risk is defined by BCBS as the risk of loss resulting from “inadequate or failed
internal processes, people and systems or from external events” and is a “fundamental element of risk
management” at banks. This definition includes legal risk, but excludes strategic and reputational risk.
It is considered inherent in all banking products, activities, processes and systems (Basel Committee
on Banking Supervision 2011). In the annual reports, operational risk was varyingly presented and
included a number of sub risks, and could be referred to more as non-financial risk. It included, among
many others, fraud risk, cyber security, clients products and business practices, information and
resiliency risk, money laundering and financial crime risks, vendor and outsourcing risks, technology
risk, business disruption risks. In some instances, banks have reported compliance and legal risk also
under operational risk.

To determine the risks specific to banks, as an alternate to leveraging the existing literature,
a review was done of bank annual reports. Based on the review, a taxonomy was charted of the various
risk types that banks typically seek to manage as part of their business and the methodologies and
tools in use. The annual reports of 10 leading banks were reviewed to determine which risk areas
were specifically being reported on by these banks. The review also included identifying the specific
tools, methodologies or risk management framework components that were in use. To get wider
coverage, the list of banks included a representative from each region—US, predominantly globally
operating banks, European banks, and also an Asian bank. Also, these banks operated a wide ranging
of banking business lines—investment banking, securities trading, consumer or retail banking and
corporate banking. While there were differences in the way the risks were discussed and presented,
including sub risks, the top risks were largely the same and included credit risk management, market
risk management, liquidity risk, operational risk.

A chart (Figure 1) depicting the taxonomy of the various risk types discussed in bank annual
reports and also the various methodologies or tools (Figure 2) implemented to manage these risks is
included below.

Risks 2019, 7, 29 4 of 22

Risks 2019, 7, x 4 of 21

Figure 1. Taxonomy of risks.

The chief risk officer has access to risk insight and intelligence that was more retrospective in
nature, such as incident analyses focusing on understanding what happened and why. Now,
increasingly, they are gearing up with tools that allow for a look ahead that facilitates the predicting
of potential risk incidents. Data mining, scenario modelling and forecasting are built-in features of
most risk management solutions. Cognitive (pattern recognition by visualising and identifying
apparent and later trends in historical data) and algorithmic (establishing causal relationships
between diverse events and data sets) intelligence is making way for augmented (natural language
processing and machine learning) and assistive (contextual virtual intelligent assistance) intelligence
that augments and accelerates decision making (MetricStream 2018).

Figure 1. Taxonomy of risks.

The chief risk officer has access to risk insight and intelligence that was more retrospective
in nature, such as incident analyses focusing on understanding what happened and why. Now,
increasingly, they are gearing up with tools that allow for a look ahead that facilitates the predicting of
potential risk incidents. Data mining, scenario modelling and forecasting are built-in features of most
risk management solutions. Cognitive (pattern recognition by visualising and identifying apparent
and later trends in historical data) and algorithmic (establishing causal relationships between diverse
events and data sets) intelligence is making way for augmented (natural language processing and
machine learning) and assistive (contextual virtual intelligent assistance) intelligence that augments
and accelerates decision making (MetricStream 2018).

Risks 2019, 7, 29 5 of 22

Risks 2019, 7, x 5 of 21

Figure 2. Risk Management Methods and Tools.

2.2. Machine Learning

Machine learning has been explained as lying at the intersection of computer science,
engineering and statistics. It has been highlighted as a tool that can be applied to various problems,
especially in fields that require data to be interpreted and acted upon (Awad and Khanna 2015).
Machine learning delivers the capability to detect meaningful patterns in data, and has become a
common tool for almost any task faced with the requirement of extracting meaningful information
from data sets. When faced with the requirement of extracting meaningful information from data,
and the consequent complexity of patterns to be studied, a programmer may not be able to provide
explicit and detailed specification on the execution process. Machine learning addresses this
challenge by “endowing programs” with the ability to “learn and adapt”. The machine learning
programs learn and improve, and can be applied when the problem that has to be dealt has the dual
challenge of complexity and the need for adaptability (Shalev-Shwartz and Ben-David 2014).

Marke t Ris k Cre dit Ris k
Liquidity

Ris k

Non-Financial
Ris k

(Operational
Risk)

Ris k Limits √ √ √
Cre dit Ris k limits √
Value at Ris k √
Earnings at Ris k √
Expe cte d Shortfall √
Economic Value Stre s s Te s ting √
Economic Capital √ √ √ √
Ris k Se ns itivitie s √
Ris k Ass e ss me nt (RCSA) √
Ope rational Ris k Los s e s √
Los s Dis tribution Approach √
Sce nario Analysis √ √ √ √
Tail Ris k Capture √ √ √ √
Stre s s Te s ting √ √ √ √
Scoring Mode ls √
Rating Mode ls √
Expos ure
– Probability of De fault
– Los s Give n De fault
– Expos ure at De fault

√

Back Te s ting √ √ √

Ris k Appe tite √ √ √ √
Ris k Ide ntification √ √ √ √
Ris k Ass e ss me nt √ √ √ √
Ris k Me as ure me nt √ √ √ √
Ris k Te s ting √ √ √ √
Ris k Monitoring √ √ √ √
Ris k re porting √ √ √ √
Ris k Ove rs ight √ √ √ √
Capital Manage me nt (calculation and
allocation)
– CCAR
– ICAAP

√ √ √ √

Ris k Manage me nt Tools

Ris k Manage me nt Frame work Compone nts

Figure 2. Risk Management Methods and Tools.

2.2. Machine Learning

Machine learning has been explained as lying at the intersection of computer science, engineering
and statistics. It has been highlighted as a tool that can be applied to various problems, especially in
fields that require data to be interpreted and acted upon (Awad and Khanna 2015). Machine learning
delivers the capability to detect meaningful patterns in data, and has become a common tool for almost
any task faced with the requirement of extracting meaningful information from data sets. When faced
with the requirement of extracting meaningful information from data, and the consequent complexity
of patterns to be studied, a programmer may not be able to provide explicit and detailed specification
on the execution process. Machine learning addresses this challenge by “endowing programs” with
the ability to “learn and adapt”. The machine learning programs learn and improve, and can be

Risks 2019, 7, 29 6 of 22

applied when the problem that has to be dealt has the dual challenge of complexity and the need for
adaptability (Shalev-Shwartz and Ben-David 2014).

Machine learning tools that are driving the advances in search engines and self-driving cars can be
adopted and applied to the financial sector. A variety of technological developments have contributed
to the financial sector being able to explore and mine a voluminous data infrastructure that includes
diverse sets of unstructured forms of financial data about markets and consumers. Economists are
increasingly adopting machine learning, in conjunction with other tools and expertise to evaluate
complex relationships, despite machine learning’s limitations in being able to determine causality.
The adoption of machine learning has been motivated by the potential opportunities for cost reduction,
improved productivity and improved risk management. New regulations have also pushed the banks
to automate with the need to have efficient regulatory compliance (Financial Stability Board 2017).

Data driven and computational-based, machine learning algorithms rely less on assumptions
about the data, including about the distribution. While they are considered more robust and better at
addressing complex non-linear relationships, they also are seen as being difficult to interpret (Galindo
and Tamayo 2000).

Recent years have seen a surge in the amount of data gathered within financial institutions (FI).
A big push towards the digitalisation of services and increased regulatory reporting requirements has
resulted in a large amount of unstructured data being created and/or collected at a high frequency.
This data comes from various sources, including consumer apps, client interactions, metadata and
other external data sources. The desire to enhance their analytical capabilities and automate across
business lines, including risk management, by managing and mining these increased volumes and a
variety of data has led financial institutions to explore powerful and analytical solutions, a consequence
of which is the rise in interest and the popularity of machine learning and artificial intelligence within
the FI community (Van Liebergen 2017). Machine learning is widely seen in the financial services sector
as having the potential to deliver the analytical capability that FIs desire. Machine learning is capable
of impacting every aspect of the FI’s business model—improving insight into client preferences, risk
management, fraud detection, conduct monitoring, client support automation and even automated
identity verification when coupled with biometrics.

Van Liebergen (2017) introduces the field, and through discussions with the Institute of
International Finance and technology ventures, explains use cases within financial institutions.
He discusses applications in the area of credit risk modelling, detection of credit card fraud and
money laundering and surveillance of conduct breaches at FIs. He also highlights that Machine
learning seeks to predict “out-of-sample” while learning “found in-sample” (past) correlations, while
falling short of providing an explanation for the analysed relationship. This could create complexities
around model development and evaluation.

Machine learning also plays a role at the Securities and Exchange Commission (SEC) in the
risk assessment process in identifying misconduct. While this is applicable from a supervisory
perspective and for the oversight of systemic risks, it can also serve as a guide for a bank on how
similar machine learning techniques can be applied in risk assessments for the detection of misconduct
(internal or external) including risk assessments on corporate issuers or counterparties (Bauguess 2015).
In computational finance, machine learning has great potential and could be variedly used, ranging
from the comprehensive exploratory data analysis to the presentation/visualisation of modelling
results (Kanevski and Timonin 2010).

Some of the cons of machine learning, as argued, are that they are more “black box” in nature,
with results at times being difficult to interpret. It is argued that they are also sensitive to outliers,
resulting in the overfitting of the data and counterintuitive predictions. They are also argued to have
the pros of being able to be a better fit for non-linear relationships between the explanatory variables
and explained variables, and also that the ability for them to apply a broader set of variables tends to
improve accuracy (Bacham and Zhao 2017).

Risks 2019, 7, 29 7 of 22

3. Materials and Methods

To carry out the review of literature that researches the application of machine learning in bank
risk management, two sets of key words were used in the search for related papers. The search for
papers was done using the scholar.google.com, SSRN and ProQuest databases. The search was largely
focused on papers after 2007 to capture developments since the global financial crisis; however papers
prior to that period were also included if they were referenced in other recent papers.

The first group of words was ‘machine learning’, in line with the topic. The second group
comprised terms that were identified from the review of the bank annual reports. This includes risk
types, as listed in the risk taxonomy and risk management tools or methods that were identified from
the bank annual reports. Taxonomy is as shown in Figure 1, and methods as in Figure 2.

The search and review was limited to conference papers, journal articles and selected theses (post
graduate or doctoral). The review has not considered articles, white papers, vendor papers or web
articles that have just made reference to machine learning without providing details on how, or that
made references to the application of any specific algorithm, though many such articles did come up in
the search. In particular, there are a large number of articles, web and magazines, and publications that
include machine learning as a solution or as a generic and general recommendation without providing
further details on how a given specific problem can be addressed.

The review has looked at only papers that have analysed the topic with a level of depth, namely,
by making references to specific algorithms or providing a design or model for how ML can be
implemented. Articles or papers or conference proceedings that have made only a cursory or a general
reference to the application of ML in the risk management space have not been considered for this
research. It is noted that there are many references available where the authors or speakers have
proposed that ML or AI can be applied in the management of risk; however, many of them stop short
of providing clarity on which algorithms, or fail to provide examples of how ML/AI has been applied
in a test or industry setup.

The methodological framework for this research was determined by analysing the various problem
areas related to machine learning and risk management in banks. The articles were classified to
understand: (i) the risk area they focused on; (ii) the risk management tool or risk management
framework component they targeted; or (iii) the algorithms that were applied/studied/proposed.
The survey was also seeking to review papers that focused more on risk assessment and measurement.

Risk areas such as cybersecurity and fraud risk have been dealt with widely; however, the focus
in this review has been only on cases where they specifically relate to banking risk management
use cases. Papers that focus the research on operational matters, such as credit risk management
solutions that address the operational process of credit review and approval, or tools that are focused
on supporting traders and trading risk managers in the and trade management process, have not
been considered. Additionally, operational risk management solutions that fit within the operational
process to mitigate operational events/incidents (e.g., robotics process automation, STP, anomaly
detection) have not been researched.

An overview of the papers that were reviewed is included in Appendix A.

3.1. Credit Risk

The assessment of credit risk remains an important and challenging research topic in the field of
finance, with initial efforts dating back to the last century. On the back of the global financial crisis
events and the consequent increased regulatory focus, the credit risk assessment process has seen an
increased interest within the academic and business community. The general approach to credit risk
assessment has been to apply a classification technique on past customer data, including on delinquent
customers, to analyse and evaluate the relation between the characteristics of a customer and their
potential failure. This could be used to determine classifiers that can be applied in the categorisation of
new applicants or existing customers as good or bad (Wang et al. 2005).

Risks 2019, 7, 29 8 of 22

Credit risk evaluation occupies an important place within risk management. Techniques such
as Logistic regression and discriminant analysis are traditionally used in credit scoring to determine
likelihood of default. Support Vector machines are successful in classifying credit card customers who
default. They were also found to be competitive in discovering features that are most significant in
determining risk of default when tested and compared against the traditional techniques (Bellotti
and Crook 2009). Credit risk modelling for the calculation of credit loss exposure involves the
estimation of the Probability of Default (PD), the Exposure at Default (EAD) and the Loss Given
Default (LGD). This is emphasised by the Basel II accord. Predominant methods to develop models
for PD are classification and survival analysis, with the latter involving the estimation of whether
the customer would default and when the default could occur. Classifier algorithms were found
to perform significantly more accurately than standard logistic regression in credit scoring. Also,
advanced methods were found to perform extremely well on credit scoring data sets such as artificial
neural networks, performing better than extreme learning machine (Lessmann et al. 2015).

Through the Basel accord requirements, the need to allocate capital in an efficient and profitable
manner has lead FIs to build credit scoring models to assess the default risk of their customers. Again,
SVM has been shown to yield significantly better results in credit scoring (Van Gestel et al. 2003).
An accurate prediction of estimated probability of default delivers more value to risk management
in comparison to a binary classification of clients as either credible or not-credible. A number of
techniques are used in credit scoring, such as discriminant analysis, logistic regression, Bayes classifier,
nearest neighbour, artificial neural networks and classification trees. Artificial neural networks have
been shown to perform classifications more accurately than the other five methods (Yeh and Lien 2009)

Methods and models are being constantly developed to address a significant issue at banks,
namely, the correct classification of customers and the estimation of credit risk. The various approaches
applied in these methods seek to increase the accuracy of creditworthiness predictions that could lead
to a bigger and profitable loan portfolio. Neural networks have proven to be of significant value in the
credit risk decision process, and their application in company distress predictions was reported to be
beneficial in credit risk evaluation (Wójcicka 2017).

While credit risk is the most researched and evaluated risk area for the application of machine
learning, this is not a new phenomenon. Dating as far back as 1994, Altman and …