Confronted by so much short term political uncertainty and lack of coordination, many systemic risks, particularly in the financial sector and the economy writ large, are going unnoticed. One of the causes of these blind spots is both the presumption of financial safety in the global economy since the Great Recession, while at the same time a general misperception of what makes a financial institution systemic. Since the dust settled from the global financial crisis and the wave of regulation on banking risk have been implemented, questions remain about the likely causes and locations of the next “big one” in finance. This “big one” may very well stem from widely interconnected payroll and data processing firms that are veritable utilities in the global financial system, among other possible points of vulnerability.
As is all too often the case, risk management and, in this instance, financial regulators, have largely addressed yesterday’s threats to the global financial system. Since 2008, the global threat landscape has evolved rapidly and in some insidious ways. For example, in 2008, the concept of a bank’s entire business model being held hostage to ransomware was a distant possibility – and not factored at all in how systemic financial institutions (SIFIs) are governed by the macro-prudential framework. Since then, this threat is not only a very real possibility, as we have seen with the Sony Entertainment cyber-attack, and the numerous named and unnamed hospitals, universities and other organizations that have become the “soft targets” or, better still, the practice range, for increasingly sophisticated exploits. Along these lines, a safer global financial system is one that keeps pace with the accelerating risk-reward trade off in the global economy, while at the same time keeping stock of “feeder” institutions that provide the piping through which capital and data flows. From time to time this global audit needs to shine a light on the seemingly inconsequential areas of the economy to look for critical relationships and organizations that are either too big to fail or, in this case, too interconnected to ignore.
During the gold rush, it was probably more rewarding to sell people shovels than to be the one digging for gold. The shovel sellers, while largely behind the scenes like a utility, were nonetheless systemic to the bonanza. Similarly, it begs the question, who are the systemic institutions – the veritable behind the scenes stage hands – of the global financial system? What are the choke points and single points of failure on which the economy depends? As an example, payroll and financial service providers, such as Automatic Data Processing, Inc. (ADP), Intuit, and Paychex, hardly register as SIFIs by today’s standards and they pale in comparison to the large banks with combined 2016 revenues of $19.2 billion, their top line roughly equals JP Morgan’s 2015 net income. Yet, combined they are essential to millions of people and hundreds of thousands of employers who rely on these firms to process their payroll, tax, healthcare and other sensitive data. Between them they serve more than 2,255,000 customers, with the majority falling into the small to medium employer category.
In the same way that failing to bail out Lehman Brothers in 2008 lit the fuse of a financial tinderbox causing liquidity to dry up, what happens if a major payroll provider falters for whatever cause? What are the knock-on effects in such a scenario? The major payroll firms are in many ways systemically plugged into banks, where the money comes from, employers, where they have offered a business process outsourcing capability for human resource (HR) and compliance matters, and the insurance industry, where they pick up employee benefits, worker’s compensation and retirement plans, among others – all while being plugged into the IRS for tax filing and compliance at the household and company levels. In short, the prospect of a national day without pay is not a remote possibility. The bigger question is which other dominos fall in this rally and how long would it take to pick up the pieces and restore confidence in the economy?
The dangers of interconnections and unseen supply chains like these would be particularly hard for small to medium sized enterprises (SMEs) to contend with – and in many ways they are most at risk. Many mid-sized firms turn to integrated payroll and HR-outsourcing firms to help augment their often-strained HR and financial bench, under the promise of modernized systems and processes. In order to achieve this level of technological integration, with electronic payroll, employee benefits and other sensitive data feeds, millions of connecting points are needed. Who and what they connect to make the payroll processing industry critically important to global financial stability. The answer of course is not to over-regulate creating a presumption of safety. The answer in part lies in recognizing the exposure, identifying the points of vulnerability and shoring up all layers of the value chain, beginning with those who are most at risk, namely individual households and employers. Unless a business can run fully on paper and clipboards, which is an improbable case, they are vulnerable to cyber risk and other technological threats.
Clearly in a modern economy one cannot retreat from interconnections and the low-friction trade-off of modernizing business processes, which is the value proposition offered by major payroll processing firms. We can, however, begin to simulate the effects and consequential losses should one of these firms’ falter, being mindful of cascading relationships. War-gaming and scenario planning are useful approaches as risk always favors the prepared, in the same way that serendipity favors risk-takers. In addition to these types of simulations, which individual companies can run, all participants in this value chain are urged to both assess and understand their security posture and points of vulnerability to this scenario – no matter how remote it may seem. Finally, having adequate internal or external financial hedges, such as insurance or cash reserves in place will help offset the economic consequences of a day without pay.