NODES 2022: Neo4j’s Joe Depeau on Demonstrating Risk and Resilience with Graphs

See “Track Data Lineage with a Graph Database” with Jan Zak, senior software engineer, and David Bucek, architecture team leader, at data lineage tool maker Manta, live during Neo4j’s NODES 2022 live streaming webcast at 0730 GMT / 0830 CET Thursday, November 17. Registration for the 24-hour live, worldwide event is free.

In the wake of the 2007 sub-prime lending crisis, many of the world’s commerce and finance regulatory authorities turned to an institution called the Bank of International Settlements. This bank — itself maintained by some 63 countries’ central banks, including the US Federal Reserve’s Board of Governors — began advising regulators to mandate their countries’ financial institutions make regular reports about how they have modeled their own risk management policies.

At first, banks prepared for these new regulations by devising schemes for their financial transactional data to be centralized. But then, governance frameworks such as BCBS 239 advised institutions to implement something they weren’t expecting: aggregation. To prove they were ready for the next crisis, banks and insurers need to back up their risk models with data from multiple sources — not one centralized data bank. What’s more, they need to show how data flows into those sources, and how elements of that data are interrelated.

This should be a critical moment for graph databases to enter the picture; and indeed, Neo4j marched right in. But are risk models improving as a result, and are regulators satisfied that their original objectives are being met? Or are they settling for the quality of information they’re currently getting? We spoke with Neo4j senior consultant Joe Depeau on the state of risk modeling, fifteen years after one of history’s most devastating institutional collapses.

Risk Rewarded

Scott Fulton: In a video some time back, you talked about how financial organizations tend to demonstrate risk model to the regulators in their respective countries. How does graph database change that process, if at all?

Joe Depeau: A good example I use for this is BCBS 239. It’s a Basel Committee on Banking Supervision regulation. This came out of the sub-prime lending crisis with all the banks being bailed out, and it rolled out over stages with systemically important banks having to do it first, and less important banks after. The idea is, in short, you have to be able to show how you’re understanding risk as a financial institution. What figures are you using to understand the risk in your portfolios? Then you need to be able to show how you get those figures. You need to be able to go up and down the stack — to say, “Here’s my data; here’s how I aggregate it up; here’s the systems it comes from; here’s the calculations I apply; and here’s how I summarize those KPIs to show our Board.”

For each KPI you look at for your risk profile, [you show] where I get that data from. How do I start from that KPI and go all the way down? There’s a number of principles behind that. You need to be able to demonstrate to the regulator how you’re doing this.

Scott Fulton: I would think this would be fairly simple, then, for a regulator who’s already familiar with financial models whose data comes from transactional, relational databases. But when you have someone come along who says, “For our fraud detection, we’re employing a graph database, and we’re using such things as graph embeddings,” I would think the regulator would go, “W-w-w-w-what’s that?”

Joe Depeau: BCBS is a little old now. Whenever I talk to a bank now, they’re like, “BCBS? This is so, like, 2012.”

It’s more of a data lineage story than it is an embedding story. When you need to understand where your data lives, and how you’re storing it and how you’re processing it — especially when you’re working with these complex derivatives that different parts of your organization might be invested in? To demonstrate that complexity as a graph, is a great way to do it, when you’re talking about movements of calculations being applied, data being aggregated, moved about, graph is a nice way of representing that. So you can go to the regulator and say, “Here is the flow of my data; here’s where I get the data from; and here is where I aggregate it out, to arrive at this number.”

Tipping Point

Scott Fulton: When you’re making that type of demonstration to regulators, what’s the threshold they’re looking for — the minimum level of functional plausibility that you have to demonstrate in your risk model, to make them sign off on it?

Joe Depeau: They want to know, is what you’re presenting accurate? Is it complete? Is the data you’re working with timely? They want to know you’re working with recent data, and not three or six months old. Is it comprehensive? How often do you do this process? There are a number of keywords set out in principles, that the regulators look for.

It’s not just an exercise in showing the regulators that you are handling your risk appropriately, although that’s part of it. There were consequences. If you couldn’t demonstrate to a certain level that your risk was appropriate, and you were handling it the right way, then they would make you put aside more money as a buffer. As a bank, you wanted to give them the best report that you could, and show them that your risk was manageable, and that you were handling it appropriately, because that way you could have less money in reserve. Then you would have more money to invest and spend. Whereas if you were a naughty bank, and you didn’t go to the regulators with what they wanted to see, they would make you have more money in reserve, as a buffer for that risk. It was in all the banks’ interests to be as compliant as they could.

Scott Fulton: You would think the growing plethora of global financial regulatory frameworks would result in a greater level of standardization and compliance among organizations, which would, in turn, lead to more homogenous, identical, standardized means of financial reporting. You’ve said in the past, the opposite tends to be true. But that was four years in the past; what about today? Are we starting to see a consolidation of the mindset around how financial reporting should take place?

Joe Depeau: I don’t see it so much anymore, but we used to have big pushes around risk. So much of it comes down to just knowing where your data comes from, where you hold it, how it’s being used in your organization, how it moves around, how you’re aggregating it and computing it into KPIs. So much of the regulatory landscape boils down to that.

The idea was, you could build one graph, and then use that graph to address so many of these regulatory compliance requirements that an organization has. Because we can see that consistent need for a graph across so many pieces of regulation, we would like to see more graphs being used to address that problem.

See “XRP Ledger Blockchain ETL with Neo4j” with Thomas Silkjaer, head of analytics and compliance at XRP Ledger Foundation, live during Neo4j’s NODES 2022 live streaming webcast at 1100 GMT / 1200 CET Thursday, November 17. Registration for the 24-hour live, worldwide event is free.