Trending Topics from CBALive!

Quickly:
  • A few quick-hit thoughts from this week’s CBALive! conference, where I spent the past three days engaged in conversations about consumer behavior and emerging digital initiatives.

ORLANDO, FL — When the Former Director of the National Security Agency and the Central Intelligence Agency says that the private sector needs to step in and take more responsibility for cyber safety and protection, it is a lede I dare not bury.

To paraphrase General Michael Hayden, now a Principal at The Chertoff Group, nation-states like North Korea and Iran pose major challenges to the fabric of our financial industry.  The Russians, though, remain in a class of their own.  As he explained, their focus on information dominance, not just cyber dominance, reflects a coordinated and concentrated fight to control the American public’s perceptions. As the recent presidential election proved, their ability to create “information bubbles” gives them a weapon with which to hurt companies’ reputations in addition to using other cyber hacking techniques to corrupt an institution’s data or to steal money.

While many bank boards have a tight pulse on their organization’s cybersecurity preparedness, Gen. Hayden made clear that the U.S. government views cyber as a new domain of warfare (alongside the traditional domains of air, sea, land and space).  Whether they want to or not, banks of all sizes form the cavalry that needs to ride to the country’s rescue as the cyber threats continue to proliferate.

Gen. Hayden discussed our virtual vulnerabilities and the real risks for our country during his afternoon’s keynote presentation at the Consumer Bankers Association CBALive! conference at the Hilton Orlando Bonnet Creek.  In addition to these remarks, I made note of three key issues that tie into their conference theme of “beyond the bank:”

The race to grow deposits continues.

The digital presence and marketing efforts of the biggest banks in the U.S. continue to enable them to acquire an outsized share of consumer and commercial relationships.  Given that deposits proved the big theme at our Acquire or Be Acquired Conference, I made note of Novantas‘ perspectives as they apply to community banks trying to grow and compete.  Given their involvement with financial institutions — the firm provides information, analyses and automated solutions designed to improve revenue generation — they believe acquisitive banks must apply the same discipline to evaluating a potential acquisition bank’s deposit portfolio as they historically have given to the lending book.  As they shared in a white paper, “the importance of such rigor has increased with higher rates: the low-rate banks of yesterday can wind up with unattractive deposit positions tomorrow.”

Artificial intelligence remains the ultimate buzzword.

Alistair Rennie, General Manager, Solutions at IBM Watson Financial Services opined on the promise of machine learning and artificial intelligence, highlighting the intersection of digital, offline and social identity data as a means to improve enterprise-wide visibility into regulatory and internal compliance controls.  As he shared, cognitive technologies promise to fundamentally change how banks identify customer behaviors and patterns. Personally, I found his most interesting point for bank leadership came from his first audience-specific question (*see the image that leads off today’s post).

Can you really “own” the customer experience?

Forgive me if you caught me rolling my eyes during presentations that began with “banks need to own the customer experience,” especially when delivered as if a novel approach to business.  Marketing 101 starts with a basic premise: know your customer — and give them what they want.  So when looking for the characteristics of disruption that might strengthen a relationship, I liked this particular tweet:

While we covered a lot of ground, these three thoughts accompany me on my flight home to D.C.  My thanks to Richard Hunt and his team at the CBA for inviting me and our CMO, Michelle King, to join them in Orlando.  The CBA represents America’s retail banks and does a great job bringing together some of the biggest institutions in the U.S. to address issues such as these.  If you’re not following Richard on Twitter, his handle is @cajunbanker and for the CBA, check out @consumerbankers.

5 Cybersecurity Companies Bank Execs & Board Members Need to Know

When it comes to cybersecurity, the best defense might just be a great offense.  Whereas cybersecurity once focused on how banks could avoid losing money, my team and I are working on a program for 2017 to help officers and directors address potential scenarios (and develop realistic response plans) should a hack, breech or attack occur.  Indeed, protecting the bank against a cyber attack is a core responsibility of every member of a bank’s board and executive team.

In recent posts, I’ve highlighted various fintechs that I find compelling given their relationships with financial institutions.  In terms of cybersecurity, I’ve had the chance to learn more about companies like DefenseStorm (given their support of companies like nCino and LiveOak Bank) that I greatly respect.  Below are five more companies that I think bank leadership teams need to know:

Cognizant

A global cybersecurity solution and service provider, Cognizant supports multiple industry verticals and information security service lines.  I encourage you to take a look at their thoughts on what traditional banks can do to rebuild trust in the digital era.

Centrify

California-based Centrify offers identity & access management solutions to help secure enterprise identities against cyberthreats that target today’s IT environment of cloud computing.  Banking customers include such recognizable names as BB&T, SunTrust, Citi and RBS.

Lookout

Lookout has taken a mobile-first approach to security.  Indeed, one of the world’s largest investment management firms chose Lookout to provide threat and data leakage protection to over 10,000 managed iOS and Android devices.

Feedzai

Founded by data scientists and aerospace engineers, Feedzai’s mission is to “make commerce safe for business customers and create a better experience for their consumers through artificially intelligent machine learning.”

Brighterion

Since the founding of Brighterion, its core technology has been adapted and improved for real-time applications in the fields of payment, healthcare, marketing and homeland security.  For instance, its analysis of payments provides “unprecedented behavioral insights,” from the spending behavior of customers to the constantly evolving techniques of fraudsters.

##

As a complement to these five businesses, let me wrap up by sharing a recent FinXTech article:Emerging Technologies Combat Cybercrime.  As you will read, banks are doing everything they can to reassure customers that their digital information is safe and secure.

Can Banks Keep Up?

As the financial industry adapts to various digitization trends, my team continues to field inquiries from bank CEOs and their executive teams specific to emerging technology strategies and opportunities.  One way we attempt to benchmark current interests (and concerns): an annual research project.  This year, we evaluated industry attitudes toward core providers and fintech firms, including marketplace lenders like Lending Club, in our just-released Bank Director Technology Survey.  While a number of findings jumped out at me, three really caught my eye:

  • Eighty-one percent of bank chief information officers and chief technology officers responding say that their core processor is slow to respond to innovations in the marketplace, making it even more difficult for the banking industry to keep up with shifting consumer expectations regarding technology.
  • Thirty percent of bank CIOs and CTOs report that their bank has pulled back on plans to integrate a more innovative product, service or delivery channel due to the inability or unwillingness of the bank’s core processor to support that activity.
  • Banks are highly reliant on core providers for services beyond core processing, which at its most basic contains vital customer data and processes all customer transactions. Ninety-six percent of respondents say their bank uses their core provider for additional services, including mobile banking (71 percent) and bill pay (75 percent).

Our 2016 Technology Survey, sponsored by the technology solutions provider CDW, reflects the opinions of 199 board members and senior executives of U.S. banks surveyed in June and July.  The size of institutions polled fell between $250 million and $20 billion in assets.  In addition to the points shared above, we found:

  • Thirty-one percent of respondents have converted their bank’s core technology within the past five years. Forty-two percent converted their core more than 10 years ago.  Respondents report that their bank works with a median of five technology firms, including the core provider.
  • Sixty-one percent of participants see fintech firms as both competitors and partners.
    Online marketplace lenders should be more heavily regulated, say 60 percent of respondents. Forty-one percent worry that they’ll lose loans to these lenders, but 18 percent don’t think these lenders have long-term viability.
  • Opinions are mixed on the impact that blockchain—the underlying technology behind the digital currency bitcoin—will have on the banking industry. Twenty-four percent believe it will impact all banks. However, 57 percent don’t understand blockchain enough to form an opinion, or have never heard of the technology.

Finally, cybersecurity continues to loom large.  Having a strong technology infrastructure in place to protect against cyberattacks remains the top technology concern for survey participants, at 72 percent.  Seventy percent indicate that their bank could better use data to serve the needs of existing customers, or identify new customers.  Seventy percent of respondents believe that technological innovation is a priority for their board, but less than half discuss technology at every board meeting.  Thirty-four percent of respondents describe themselves as early adopters of technology.

The full survey results are available online at BankDirector.com, and will be featured in the 4th quarter 2016 issue of Bank Director magazine.

Cybersecurity and the Fintech Wave

Earlier this month, at Bank Director’s FinTech Day at Nasdaq’s MarketSite in New York City, I noted how many technology firms are developing strategies, practices and tools that will dramatically influence how banking gets done in the future. Concomitantly, I expressed an optimism that banks are learning from these new players, adapting their offerings and identifying opportunities to collaborate with new “digital-first” businesses.  Unfortunately, with great opportunity comes significant risk (and today’s post looks at a major one challenging bank CEOs and their boards). 

By Al Dominick, President & CEO, Bank Director

To grow your revenue, deposits, brand, market size and/or market share requires both strong leadership and business strategy.  Right now, there are a handful of banks developing niche vertical lines of business to compete with the largest institutions. For instance, East West Bancorp, EverBank Financial, First Republic Bank, Opus Bank, PacWest Bancorp, Signature Bank and Texas Capital Bancshares.

Just as compelling as each bank’s approach to growing their business is the idea that new competitors in direct and mobile banking will spur the digitalization of our industry.  I am a firm believer that through partnerships, acquisitions or direct investments, incumbents and upstarts alike have many real and distinct opportunities to grow and scale while improving the fabric of the financial community.

However, with myriad opportunities to leverage new technologies comes significant risk, a fact not lost on the bank executives and board members who responded to Bank Director’s 2016 Risk Practices Survey, sponsored by FIS.  For the second year running, they indicate that cybersecurity is their top risk concern.

More respondents (34 percent) say their boards are reviewing cybersecurity at every board meeting, compared to 18 percent in last year’s survey, indicating an enhanced focus on cybersecurity oversight. Additionally, more banks are now employing a chief information security officer (CISO), who is responsible for day-to-day management of cybersecurity.

However, the survey results also reveal that many banks still aren’t doing enough to protect themselves—and their customers. Less than 20 percent of respondents say their bank has experienced a data breach, but those who do are just as likely to represent a small institution as a large one, further proof that cybersecurity can no longer be discussed as only a “big bank” concern.

For those thinking about the intersection of fintechs and banks, take a look at our just-released 2016 Risk Practices Survey. This year, we examine risk governance trends at U.S. banks, including the role of the chief risk officer and how banks are addressing cybersecurity. The survey was completed in January by 161 independent directors, chief risk officers (CRO), chief executive officers (CEO) and other senior executives of U.S. banks with more than $500 million in assets.

Key Findings Include:

  • Sixty-two percent of respondents indicate their bank has used the cybersecurity assessment tool made available by the Federal Financial Institutions Examination Council, and have completed an assessment. However, only 39 percent have validated the results of the assessment, and only 18 percent have established board-approved triggers for update and reporting. FWIW, bank regulators have started to use the tool in exams, and some states are mandating its use.
  • Seventy-eight percent indicate that their bank employs a full-time CISO, up from 64 percent in last year’s survey.
  • The majority, at 62 percent, say the board primarily oversees cybersecurity within the risk or audit committee. Twenty-six percent govern cybersecurity within the technology committee.
  • Forty-five percent indicate that detecting malicious insider activity or threats is an area where the bank is least prepared for a cyberattack or data breach.
  • Just 35 percent test their bank’s cyber-incident management and response plan quarterly or annually.

Clearly, banks are increasingly relying on complex models to support economic, financial and compliance decision-making processes.  Considering the full board of a bank is ultimately responsible for understanding an institution’s key risks — and credibly challenging management’s assessment and response to those risks — I am pleased to share this year’s report as part of our commitment to providing timely & relevant information to the banking community.

Main Areas of Focus for a Bank’s Audit and Risk Committees

What’s top-of-mind for a bank’s Audit and Risk committee members?  Let’s start with cyber security…

By Al Dominick // @aldominick

There are many challenges that bank boards & executives must address, and these two videos (one by our editor, Jack Milligan; the other, by me) briefly review current issues that demand attention + emerging ones that we took note of at this week’s Bank Audit & Risk Committees Conference at the JW Marriott in Chicago.

*For more on the risks facing banks today, take a look at this report from our conference (#BDAudit15).

About That Elephant Coming Out of the Corner (*hello cyber security & banking)

Last summer, a cyberattack on JPMorgan Chase by Russian hackers compromised the accounts of 83 million households and seven million small businesses.  While the New York Times reports the crime did not result in the loss of customer money or the theft of personal information, it was one of the largest such attacks against a bank.  A data breach like this illustrates the clear and present danger cyber criminals pose to the safety and soundness of the financial system.  In my opinion, there can be nothing more damaging to the reputation of, and confidence in, the industry as a whole than major security breaches.

Yesterday, Bank Director released its annual Risk Practices Survey, sponsored by FIS, the world’s largest global provider dedicated to banking and payments technologies. As I read through the results, it became immediately apparent that cyber security is the most alarming risk issue for individuals today.  So while I layout the demographics surveyed at the end of this piece, it is worth noting that 80% of those directors and officers polled represent institutions with between $500 million and $5 billion in assets — banks that are, in my opinion, more vulnerable than their larger counterparts as their investment in cyber protection pales to what JPMorgan Chase, Wells Fargo, etc are spending.  In fact, the banks we surveyed allocated less than 1% of revenues to cybersecurity in 2014.  Accordingly, I’m gearing my biggest takeaway to community bankers since those individuals most frequently cited cyber attacks as a top concern.

Interestingly, individual concern hasn’t yet translated into more focus by bank boards. Indeed, less than 20% say cybersecurity is reviewed at every board meeting — and 51% of risk committees do not review the bank’s cybersecurity plan.  As I read through our report, this has to be a wakeup call for bank boards. While a number of retailers have made the news because of hacks and data thefts, this remains an emerging, nuanced and constantly evolving issue.

It would not surprise me if bank boards start spending more time on this topic as they are more concerned than they were last year. But I do see the need to start requiring management to brief them regularly on this issue, and start educating themselves on the topic.  In terms of where to focus early conversations if you’re not already, let me suggest bank boards focus on:

  • The detection of cyber breaches and penetration testing;
  • Corporate governance related to cyber security;
  • The bank’s current (not planned) defenses against breaches; and
  • The security of third-party vendors.

Personally, I don’t doubt that boards will spend considerably more time on this issue — but things have changed a lot in the last year in terms of news on data breaches.  If bankers want to start assessing the cybersecurity plan in the same way they look at the bank’s credit policies and business plan, well, I’d sleep a lot sounder.

So I’ll go on record and predict that boards will become more aware and take on a more active role in the coming months — and also expect that regulators will start demanding that boards review cybersecurity plans, and that all banks have a cybersecurity plans.  To take this a step further, check out this piece by the law firm Arnold & Porter: Cybersecurity Risk Preparedness: Practical Steps for Financial Firms in the Face of Threats.

About this report

Bank Director’s research team surveyed 149 independent directors and senior executives of U.S. banks with more than $500 million in assets to examine risk management practices and governance trends, as well as how banks govern and manage cybersecurity risk. 43% of participants serve as an independent director or chairmen at their bank. 21% are CEOs, and 17% serve as the bank’s chief risk officer.

Trending at #BDComp14

This January, at Acquire or Be Acquired, I wrote that most successful banks have a clear understanding and focus of their market, strengths and opportunities.  So one big takeaway that builds on this idea from our annual Bank Executive & Board Compensation conference (#BDComp14 via @BankDirector): it is time for a bank’s compensation committee and HR officer to reassess their viability of their performance plans and incentive programs.

Today’s agenda covered a lot of ground; namely, how economic, technological and demographic trends are reshaping the financial community. With nearly 300 attendees with us in Chicago, I heard a lot of interesting comments and questions made throughout the day. Three that stood out to me from our “on-the-record” presentations:

  • The Fed’s policies are forcing banks to ask tough questions: When will rates rise? Should I make fixed rate loans in the 4% range? How will this play out? How does it affect my stock value? (Steve Hovde, the CEO of the Hovde Group)
  • It is not what you do for people that they remember; it is how you make them feel. (Scott Dueser, the Chairman & CEO of First Financial Bankshares)
  • When it comes to Dodd-Frank, I thought we’d be through it all, but its still going full force (Susan O’Donnell, a Partner at Meridian Compensation Partners)

Trending topics
Overall, the issues I took note of were, in no particular order: loan growth is now paramount to profitability; with cybersecurity risks growing, protection is becoming more and more costly (especially in terms of time & resources); standardized loan products are reducing competitive advantages of community banks (naturally impacting compensation plan participants); if compensation plans are overly complicated, step back and ask if your are trying to solve for something else; culture and performance is what it’s all about.

More to come from Chicago tomorrow…