Category: Risk Management

Posted on

An Easy Way to Lose Sight of Critical Risks

CHICAGO — Let me ask you a question:

How does the executive team at your biggest competitor think about their future? Are they fixated on asset growth or loan quality? Gathering low-cost deposits? Improving their technology to accelerate the digital delivery of new products? Finding and training new talent?

The answers don’t need to be immediate or precise. But we tend to fixate on the issues in front of us and ignore what’s happening right outside our door, even if the latter issues are just as important.

Yet, any leader worth their weight in stock certificates will say that taking the time to dig into and learn about other businesses, even those in unrelated industries, is time well spent.

Indeed, smart executives and experienced outside directors prize efficiency, prudence and smart capital allocation in their bank’s dealings. But here’s the thing: Your biggest—and most formidable—competitors strive for the same objectives.

So when we talk about trending topics at today and tomorrow’s Bank Audit and Risk Committees Conference in Chicago, we do so with an eye not just to the internal challenges faced by your institution but on the external pressures as well.

As my team at Bank Director prepares to host 317 women and men from banks across the country this morning, let me state the obvious: Risk is no stranger to a bank’s officers or directors. Indeed, the core business of banking revolves around risk management—interest rate risk, credit risk, operational risk. To take things a step further:

Given this, few would dispute the importance of the audit committee to appraise a bank’s business practices, or of the risk committee to identify potential hazards that could imperil an institution. Banks must stay vigilant, even as they struggle to respond to the demands of the digital revolution and heightened customer expectations.

I can’t overstate the importance of audit and risk committees keeping pace with the disruptive technological transformation of the industry. That transformation is creating an emergent banking model, according to Frank Rotman, a founding partner of venture capital firm QED Investors. This new model focuses banks on increasing engagement, collecting data and offering precisely targeted solutions to their customers.

If that’s the case—given the current state of innovation, digital transformation and the re-imagination of business processes—is it any wonder that boards are struggling to focus on risk management and the bank’s internal control environment?

When was the last time the audit committee at your bank revisited the list of items that appeared on the meeting agenda or evaluated how the committee spends its time? From my vantage point, now might be an ideal time for audit committees to sharpen the focus of their institutions on the cultures they prize, the ethics they value and the processes they need to ensure compliance.

And for risk committee members, national economic uncertainty—given the political rhetoric from Washington and trade tensions with U.S. global economic partners, especially China—has to be on your radar. Many economists expect an economic recession by June 2020. Is your bank prepared for that?

Bank leadership teams must monitor technological advances, cybersecurity concerns and an ever-evolving set of customer and investor expectations. But other issues can’t be ignored either.

So as I prepare to take the stage to kick off this year’s Bank Audit and Risk Committees Conference, I encourage everyone to remember that minds are like parachutes. In the immortal words of musician Frank Zappa: “It doesn’t work if it is not open.”

Posted on

3 Trends (and 3 Issues) Every Bank’s Board Needs To Consider

Quickly:

  • The challenges faced by financial institutions today are as numerous as they are nuanced. Be it data security, emerging technology, fraud, crisis management and/or the effectiveness of internal controls, I opened the 12th annual Bank Audit & Risk Committees Conference by laying out a number of key governance, risk and compliance issues and trends.

CHICAGO — While a sophomore at Washington & Lee University, a professor loudly (and unexpectedly) chastised a close friend of mine for stating the obvious. With a wry laugh, he thanked my classmate “for crashing through an open door.” Snark aside, his criticism became a rallying cry for me to pause and dive deeper into apparently simple questions or issues.

Audit16x9

I shared this anecdote with some 400 attendees earlier today; indeed, I teed up Bank Director’s annual program by reminding everyone from the main stage that:

  1. We’re late in the economic cycle;
  2. Rates are rising; and
  3. Pressure on lending spreads remains intense.

Given the composition of this year’s audience, I acknowledged the obvious nature of these three points. I did so, however, in order to surface three trends we felt all here should have on their radar.  I followed that up with three emerging issues to make note of.

TREND #1:
Big banks continue to roll-out exceptional customer-facing technology.

Wells Fargo has been kicked around a lot in the press this year, but to see how big banks continue to pile up retail banking wins, take a look at Greenhouse by Wells Fargo, their app designed to attract younger customers to banking.

TREND #2:
Traditional core IT providers — Fiserv, Jack Henry & FIS — are under fire.

As traditional players move towards digital businesses, new players continue to emerge to help traditional banks become more nimble, flexible and competitive.  Here, FinXact and Nymbus provide two good examples of legitimate challengers to legacy cores.

TREND #3:
Amazon lurks as the game changer.

Community banker’s fear Amazon’s potential entry into this market; according to Promontory Interfinancial Network’s recent business outlook, it is their greatest threat.

In addition to these trends, I surfaced three immediate issues that banks must tackle

ISSUE #1:
Big banks attract new deposits at a much faster pace than banks with less than $1 billion assets.

If small banks can’t easily and efficiently attract deposits, they basically have no future. ‘Nuf said.

ISSUE #2: 
Bank boards need to know if they want to buy, sell or grow independently.

In a recent newsletter, Tom Brown of Second Curve Capital opined that “if you have less than $5 billion in assets, an efficiency ratio north of 65%, deposit costs above 60 basis points, and earn a return on equity in the single digits, this really is time to give some thought to selling.”  As I shared on LinkedIn yesterday, the 3 biggest bank M&A deals of the year took place in May: Fifth Third Bancorp’s $4.6 billion purchase of MB Financial, Cadence Bancorp’s $1.3 billion acquisition of State Bank Financial and Independent Bank Group’s $1 billion agreement to buy Guaranty Bancorp. 
 I don’t see the pace of consolidation slowing any time soon — and know that banks need to ask if they want (and can) be buyers or sellers.

ISSUE #3:
The risk of data breaches across industries continues to increase.

Be it risk management, internal control or third-party security considerations, every aspect of an institution is susceptible to a data breach — and managing these threats and identifying appropriate solutions takes a village that includes the most senior leaders of an organization.

##

Just as banks need to develop their audit and risk capabilities, skills and talents, so too do officers and directors have both an opportunity and the responsibility to stay abreast of various trends and topics.  Bank Director’s event continues tomorrow with some fascinating presentations. To see what’s been shared already, take a look at Twitter, where I’m tweeting using @aldominick and #BDAudit18.

Posted on

Trending Topics from CBALive!

Quickly:
  • A few quick-hit thoughts from this week’s CBALive! conference, where I spent the past three days engaged in conversations about consumer behavior and emerging digital initiatives.

ORLANDO, FL — When the Former Director of the National Security Agency and the Central Intelligence Agency says that the private sector needs to step in and take more responsibility for cyber safety and protection, it is a lede I dare not bury.

To paraphrase General Michael Hayden, now a Principal at The Chertoff Group, nation-states like North Korea and Iran pose major challenges to the fabric of our financial industry.  The Russians, though, remain in a class of their own.  As he explained, their focus on information dominance, not just cyber dominance, reflects a coordinated and concentrated fight to control the American public’s perceptions. As the recent presidential election proved, their ability to create “information bubbles” gives them a weapon with which to hurt companies’ reputations in addition to using other cyber hacking techniques to corrupt an institution’s data or to steal money.

While many bank boards have a tight pulse on their organization’s cybersecurity preparedness, Gen. Hayden made clear that the U.S. government views cyber as a new domain of warfare (alongside the traditional domains of air, sea, land and space).  Whether they want to or not, banks of all sizes form the cavalry that needs to ride to the country’s rescue as the cyber threats continue to proliferate.

Gen. Hayden discussed our virtual vulnerabilities and the real risks for our country during his afternoon’s keynote presentation at the Consumer Bankers Association CBALive! conference at the Hilton Orlando Bonnet Creek.  In addition to these remarks, I made note of three key issues that tie into their conference theme of “beyond the bank:”

The race to grow deposits continues.

The digital presence and marketing efforts of the biggest banks in the U.S. continue to enable them to acquire an outsized share of consumer and commercial relationships.  Given that deposits proved the big theme at our Acquire or Be Acquired Conference, I made note of Novantas‘ perspectives as they apply to community banks trying to grow and compete.  Given their involvement with financial institutions — the firm provides information, analyses and automated solutions designed to improve revenue generation — they believe acquisitive banks must apply the same discipline to evaluating a potential acquisition bank’s deposit portfolio as they historically have given to the lending book.  As they shared in a white paper, “the importance of such rigor has increased with higher rates: the low-rate banks of yesterday can wind up with unattractive deposit positions tomorrow.”

Artificial intelligence remains the ultimate buzzword.

Alistair Rennie, General Manager, Solutions at IBM Watson Financial Services opined on the promise of machine learning and artificial intelligence, highlighting the intersection of digital, offline and social identity data as a means to improve enterprise-wide visibility into regulatory and internal compliance controls.  As he shared, cognitive technologies promise to fundamentally change how banks identify customer behaviors and patterns. Personally, I found his most interesting point for bank leadership came from his first audience-specific question (*see the image that leads off today’s post).

Can you really “own” the customer experience?

Forgive me if you caught me rolling my eyes during presentations that began with “banks need to own the customer experience,” especially when delivered as if a novel approach to business.  Marketing 101 starts with a basic premise: know your customer — and give them what they want.  So when looking for the characteristics of disruption that might strengthen a relationship, I liked this particular tweet:

While we covered a lot of ground, these three thoughts accompany me on my flight home to D.C.  My thanks to Richard Hunt and his team at the CBA for inviting me and our CMO, Michelle King, to join them in Orlando.  The CBA represents America’s retail banks and does a great job bringing together some of the biggest institutions in the U.S. to address issues such as these.  If you’re not following Richard on Twitter, his handle is @cajunbanker and for the CBA, check out @consumerbankers.

Posted on

21 Reasons I Am Excited About Acquire or Be Acquired

Quickly:

  • Making banking digital, personalized and in compliance with regulatory expectations remains an ongoing challenge for the financial industry. This is just one reason why a successful merger — or acquisition — involves more than just finding the right cultural match and negotiating a good deal.

By Al Dominick, CEO of DirectorCorps — parent co. to Bank Director & FinXTech.

PHOENIX, AZ — As the sun comes up on the Arizona Biltmore, I have a huge smile on my face. Indeed, our team is READY to host the premier financial growth event for bank CEOs, senior management and members of the board: Bank Director’s 24th annual Acquire or Be Acquired Conference. This exclusive event brings together key leaders from across the financial industry to explore merger & acquisition strategies, financial growth opportunities and emerging areas of potential collaboration.

AOBA Demographics

The festivities begin later today with a welcoming reception on the Biltmore’s main lawn for all 1,125 of our registered attendees.  But before my team starts to welcome people, let me share what I am looking forward to over the next 72 hours:

  1. Saying hello to as many of the 241 bank CEOs from banks HQ’d in 45 states as I can;
  2. Greeting 669 members of a bank’s board;
  3. Hosting 127 executives with C-level titles (e.g. CFO, CMO and CTO);
  4. Entertaining predictions related to pricing and consolidation trends;
  5. Hearing how a bank’s CEO & board establishes their pricing discipline;
  6. Confirming that banks with strong tangible book value multiples are dominating M&A;
  7. Listening to the approaches one might take to acquire a privately-held/closely-held institution;
  8. Learning how boards debate the size they need to be in the next five years;
  9. Engaging in conversations about aligning current talent with future growth aspirations;
  10. Juxtaposing economic expectations against the possibilities for de novos and IPOs in 2018;
  11. Getting smarter on the current operating environment for banks — and what it might become;
  12. Popping into Show ’n Tells that showcase models for cooperation between banks and FinTechs;
  13. Predicting the intersection of banking and technology with executives from companies like Salesforce, nCino and PrecisionLender;
  14. Noting the emerging opportunities available to banks vis-a-vis payments, data and analytics;
  15. Moderating this year’s Seidman Panel, one comprised of bank CEOs from Fifth Third, Cross River Bank and Southern Missouri Bancorp;
  16. Identifying due diligence pitfalls — and how to avoid them;
  17. Testing the assumption that buyers will continue to capitalize on the strength of their shares to meet seller pricing expectations to seal stock-driven deals;
  18. Showing how and where banks can invest in cloud-based software;
  19. Encouraging conversations about partnerships, collaboration and enablement;
  20. Addressing three primary risks facing banks — cyber, credit and market; and
  21. Welcoming so many exceptional speakers to the stage, starting with Tom Michaud, President & CEO of Keefe, Bruyette & Woods, Inc., a Stifel Company, tomorrow morning.

For those of you interested in following the conference conversations via our social channels, I invite you to follow me on Twitter via @AlDominick, the host company, @BankDirector and our @Fin_X_Tech platform, and search & follow #AOBA18 to see what is being shared with (and by) our attendees.

Posted on

3 Disruptive Forces Confronting Banks – and How Zelle Might Help

By Al Dominick, CEO of DirectorCorps (parent co. to Bank Director & FinXTech) | @aldominick

“The volume and pace of what’s emerging is amazing. I’ve never seen it before in our industry.”

These words, spoken about technology driving an unprecedented pace of change across our financial landscape, came from Greg Carmichael, today’s keynote speaker at Bank Director’s annual Bank Audit & Risk Committees Conference.  Greg serves as president and CEO of Fifth Third Bancorp, a diversified financial services company headquartered in Cincinnati, Ohio.  The company has $142 billion in assets, approximately 18,000 employees, operates 1,191 retail-banking centers in 10 states and has a commercial and consumer lending presence throughout the U.S.

Fifth Third Bancorp’s four main businesses are commercial banking, branch banking, consumer lending and wealth and asset management.  Given this focus, Greg’s remarks addressed how, where and why technology continues to impact the way banks like his operate.  Thinking about his perspective on the digitization of the customer experience, I teed up his presentation with my observations on three risks facing bank leadership today.

Risk #1: Earlier this year, the online lending firm SoFi announced that it had acquired Zenbanx, a startup offering banking, debit, payments and money transfer services to users online and through its mobile app.  As TechCrunch shared, “the combination of the two will allow SoFi to move deeper into the financial lives of its customers. While today it focuses on student-loan refinancing, mortgages and personal loans, integrating Zenbanx will allow it to provide an alternative to the traditional checking and deposit services most of SoFi’s customers today get from banks like Bank of America, Citi or Chase.”  Given that many banks are just beginning their digital transformation, combinations like this create new competition for traditional banks to address.  Cause for further concern?  It came to light that SoFi just applied for an industrial loan bank charter in Utah under the name SoFi Bank.

Risk #2: With so much talk of the need for legacy institutions to pair up fintech companies, I made note of a recent MoneyConf event in Madrid, Spain.  There, BBVA chairman Francisco González said that banks need to shed their past and image as ‘incumbents’ and transform into new digital technology companies if they are to prosper in a banking environment dominated by technologically astute competitors. Transforming the bank “is not just a matter of platforms. The big challenge is changing an incumbent into a new digital company.”  Clearly, transforming one’s underlying business model is not for the faint of heart, and the leadership acumen required is quite substantial.

Risk #3: Finally, when it comes to digital companies doing it right, take a look at TheStreet’s recent post about how “Amazon Has Secretly Become a Giant Bank.”  I had no idea that its Amazon Lending service surpassed $3 billion in loans to small businesses since it was launched in 2011.  Indeed, “the eCommerce giant has loaned over $1 billion to small businesses in the past twelve months… Hiking up the sales for third party merchants is a plus for Amazon, as the company gets a piece of the transaction.” What I found particularly note-worthy is the fact that over 20,000 small businesses have received a loan from Amazon and more than 50% of the businesses Amazon loans to end up taking a second loan.

A Potential Solution

Jack Milligan, our Editor-in-Chief, recently wrote, “disruptive forces confronting banks today are systemic and in some cases accelerating.” In his words, the greatest risk facing bank leadership today is “the epochal change occurring in retail distribution as consumers and businesses embrace digital commerce in ever increasing numbers, while aggressive financial technology companies muscle into the financial services market to meet that demand.”

Against this backdrop, Fifth Third Bank just announced it will be one of more than 30 major financial institutions to roll out Zelle, a new peer-to-peer (P2P) payments service operated by Early Warning.  As Greg shared during his remarks, this will initially be offered through the banks’ mobile banking apps, and positions the bank to better compete with PayPal’s Venmo.

This is big news.  Indeed, Business Insider noted in today’s morning payments brief that the growing crowd of providers will fight over a mobile P2P market set to increase ninefold over the next five years, reaching $336 billion by 2021.  In addition to working directly with financial institutions, let me also note that Early Warning has established strategic partnerships with some of the leading payment processors –– think FIS, Fiserv, and Jack Henry.  These relationships will allow millions more to experience Zelle through community banks and credit unions.

##

Here in Chicago, we have 298 bank officers and directors with us today and tomorrow — and our Bank Audit and Risk Committees Conference itself totals 366 in attendance.  In terms of bank representation, we are proud to host audit committee members, audit committee chairs, CEOs, presidents, risk committee members, risk committee chairs, corporate secretaries, internal auditors, CFOs, CROs and other senior manager who works closely with the audit and/or risk committee.  Curious to see what’s being shared socially? I encourage you to follow @bankdirector and @fin_x_tech and check out #BDAudit17.

Posted on

5 Cybersecurity Companies Bank Execs & Board Members Need to Know

When it comes to cybersecurity, the best defense might just be a great offense.  Whereas cybersecurity once focused on how banks could avoid losing money, my team and I are working on a program for 2017 to help officers and directors address potential scenarios (and develop realistic response plans) should a hack, breech or attack occur.  Indeed, protecting the bank against a cyber attack is a core responsibility of every member of a bank’s board and executive team.

In recent posts, I’ve highlighted various fintechs that I find compelling given their relationships with financial institutions.  In terms of cybersecurity, I’ve had the chance to learn more about companies like DefenseStorm (given their support of companies like nCino and LiveOak Bank) that I greatly respect.  Below are five more companies that I think bank leadership teams need to know:

Cognizant

A global cybersecurity solution and service provider, Cognizant supports multiple industry verticals and information security service lines.  I encourage you to take a look at their thoughts on what traditional banks can do to rebuild trust in the digital era.

Centrify

California-based Centrify offers identity & access management solutions to help secure enterprise identities against cyberthreats that target today’s IT environment of cloud computing.  Banking customers include such recognizable names as BB&T, SunTrust, Citi and RBS.

Lookout

Lookout has taken a mobile-first approach to security.  Indeed, one of the world’s largest investment management firms chose Lookout to provide threat and data leakage protection to over 10,000 managed iOS and Android devices.

Feedzai

Founded by data scientists and aerospace engineers, Feedzai’s mission is to “make commerce safe for business customers and create a better experience for their consumers through artificially intelligent machine learning.”

Brighterion

Since the founding of Brighterion, its core technology has been adapted and improved for real-time applications in the fields of payment, healthcare, marketing and homeland security.  For instance, its analysis of payments provides “unprecedented behavioral insights,” from the spending behavior of customers to the constantly evolving techniques of fraudsters.

##

As a complement to these five businesses, let me wrap up by sharing a recent FinXTech article:Emerging Technologies Combat Cybercrime.  As you will read, banks are doing everything they can to reassure customers that their digital information is safe and secure.

Posted on

3 Key Takeaways from Bank Director’s Audit & Risk Conference

A quick check-in from the Swissotel in Chicago, where we just wrapped up the main day of Bank Director’s 10th annual Bank Audit & Risk Committees Conference.  This is a fascinating event, one focused on key accounting, risk and regulatory issues aligned with the information needs of a bank’s Chairman, CEO, Bank Audit Committee, Bank Risk Committee, CFO, CRO and internal auditor.  Risk + strategy go hand in hand; today, we spent considerable time debating risk in the context of growing the bank.

By Al Dominick, President & CEO of Bank Director

Earlier today, while moderating a panel discussion, I referenced a KPMG report that suggests “good risk management and governance can be compared to the brakes of a car. The better the brakes, the faster the car can drive.”  With anecdotes like this ringing in my head, allow me to share three key takeaways:

  1. A company’s culture & code of conduct are critical factors in creating an environment that encourages compliance with laws and regulations.
  2. Risk appetite is a widely accepted concept that remains difficult, in practice, to apply.
  3. As a member of the board, do not lose sight of the need to maintain your skepticism.

This year’s program brings together 150+ financial institutions and more then 300 attendees. The demographics reflect the audience we serve, so I thought to share three additional trends.  Clearly, boards of directors are under pressure to evolve.  Financial institutions need the right expertise and experience and benefit greatly when their directors have diverse backgrounds.

Further, as more regulatory rules are written, board members need to understand what they mean and how they can affect their bank’s business.  Finally, technology strategies and risks are inextricably linked to corporate strategy; as such, the level of board engagement needs to increase.

Given the many issues — both known and unknown — a bank faces as our industry evolves, today made clear how challenging it can be for an audit or risk committee member to get comfortable addressing risk and issues.  Staying compliant requires a solid defense and appreciation for what’s now.  Staying competitive?  This requires a sharper focus given near constant pressures to reduce costs while dealing with increasing competition and regulation.

##

To see what we’re sharing on our social networks, I encourage you to follow @bankdirector @fin_x_tech and @aldominick.  Questions or comment?  Feel free to leave me a note below.

Posted on

Cybersecurity and the Fintech Wave

Earlier this month, at Bank Director’s FinTech Day at Nasdaq’s MarketSite in New York City, I noted how many technology firms are developing strategies, practices and tools that will dramatically influence how banking gets done in the future. Concomitantly, I expressed an optimism that banks are learning from these new players, adapting their offerings and identifying opportunities to collaborate with new “digital-first” businesses.  Unfortunately, with great opportunity comes significant risk (and today’s post looks at a major one challenging bank CEOs and their boards). 

By Al Dominick, President & CEO, Bank Director

To grow your revenue, deposits, brand, market size and/or market share requires both strong leadership and business strategy.  Right now, there are a handful of banks developing niche vertical lines of business to compete with the largest institutions. For instance, East West Bancorp, EverBank Financial, First Republic Bank, Opus Bank, PacWest Bancorp, Signature Bank and Texas Capital Bancshares.

Just as compelling as each bank’s approach to growing their business is the idea that new competitors in direct and mobile banking will spur the digitalization of our industry.  I am a firm believer that through partnerships, acquisitions or direct investments, incumbents and upstarts alike have many real and distinct opportunities to grow and scale while improving the fabric of the financial community.

However, with myriad opportunities to leverage new technologies comes significant risk, a fact not lost on the bank executives and board members who responded to Bank Director’s 2016 Risk Practices Survey, sponsored by FIS.  For the second year running, they indicate that cybersecurity is their top risk concern.

More respondents (34 percent) say their boards are reviewing cybersecurity at every board meeting, compared to 18 percent in last year’s survey, indicating an enhanced focus on cybersecurity oversight. Additionally, more banks are now employing a chief information security officer (CISO), who is responsible for day-to-day management of cybersecurity.

However, the survey results also reveal that many banks still aren’t doing enough to protect themselves—and their customers. Less than 20 percent of respondents say their bank has experienced a data breach, but those who do are just as likely to represent a small institution as a large one, further proof that cybersecurity can no longer be discussed as only a “big bank” concern.

For those thinking about the intersection of fintechs and banks, take a look at our just-released 2016 Risk Practices Survey. This year, we examine risk governance trends at U.S. banks, including the role of the chief risk officer and how banks are addressing cybersecurity. The survey was completed in January by 161 independent directors, chief risk officers (CRO), chief executive officers (CEO) and other senior executives of U.S. banks with more than $500 million in assets.

Key Findings Include:

  • Sixty-two percent of respondents indicate their bank has used the cybersecurity assessment tool made available by the Federal Financial Institutions Examination Council, and have completed an assessment. However, only 39 percent have validated the results of the assessment, and only 18 percent have established board-approved triggers for update and reporting. FWIW, bank regulators have started to use the tool in exams, and some states are mandating its use.
  • Seventy-eight percent indicate that their bank employs a full-time CISO, up from 64 percent in last year’s survey.
  • The majority, at 62 percent, say the board primarily oversees cybersecurity within the risk or audit committee. Twenty-six percent govern cybersecurity within the technology committee.
  • Forty-five percent indicate that detecting malicious insider activity or threats is an area where the bank is least prepared for a cyberattack or data breach.
  • Just 35 percent test their bank’s cyber-incident management and response plan quarterly or annually.

Clearly, banks are increasingly relying on complex models to support economic, financial and compliance decision-making processes.  Considering the full board of a bank is ultimately responsible for understanding an institution’s key risks — and credibly challenging management’s assessment and response to those risks — I am pleased to share this year’s report as part of our commitment to providing timely & relevant information to the banking community.

Posted on

How to Understand a Bank’s Audit and Risk Committees Issues in Three Steps

I’m in Chicago at Bank Director’s annual Bank Audit & Risk Committees Conference along with more than 260 bankers and some 315 total attendees.  At a time when audit and risk committees have an increasing amount of responsibilities, I’m impressed with the commitments made by attendees and speakers alike to tackle real issues as opposed to sugar coating the challenges before banks today.

As we move into a series of afternoon breakout sessions, I am taking a pause to share my observations on the day so far.  Having moderated a session that touched on how banks can enhance risk oversight capabilities and effectively challenge management on risk, let me try to make sense of the issues being faced by senior bankers and board members if you are not with us.

Step 1: Know Where We Are Coming From

Now that the worst of the financial crisis is behind them, you might think bank boards might finally breathe a sigh of relief.  You would be mistaken.  For example, we have been in an exceptionally low-interest rate environment — one that has caused net interest margins to decline significantly since 2000.  Moreover, growing the bank organically remains challenging with slow loan growth and changing consumer expectations.  Finally,  compliance costs and uncertainties continue to escalate.  So yes, for banks here with us in Chicago, the storm was weathered.  Still, significant risks and challenges remain in place.

Step 2: Accept Where We Are Today

Per our first speaker, Steve Hovde, it has become exceedingly more difficult to maintain net interest margins without growing loan balances.  As he made clear, banks with lower loan-to-deposit ratios operate with less overhead, but they have been unable to translate their lower operating costs into higher profitability over the long run.  In his words, loan growth is now paramount to profitability — and banks will need to find ways to generate loans either organically or (more likely) through M&A activity.

I know that many banks are struggling to find new revenue sources.  I also hear how bank boards are considering diversifying into new loan products and service offerings to attract and retain new and existing customers.  So, for banks considering new lending strategies or launching a new product or service, I made note that the audit committee, risk committee and internal auditor must collaborate to safeguard the organization by understanding an organization’s initiatives, limits and controls, all while understanding the risk monitoring that exists at the institution.

Step 3: Understand Where Things Are Heading

As we look ahead, it is quite clear that the largest banks in the U.S. (e.g. those above $50Bn in assets) have greatly benefited from their ability to spread fixed costs over a larger pool of earning assets.  They have lower efficiency ratios, more non-interest income and stronger earnings.  Since there are at most 30 banks that are above that $50Bn threshold out of some 6,500 banks, the risks facing most of the industry may take various forms but share similar origins.  That is, banks — and their boards — will continue to wrestle with technology issues, find fewer opportunities to replace declining fee revenue, deal with non-regulated “shadow” banks, struggle with regulatory cost burdens and expectations, face new cyber threats and have to address third-party vendor risks.

##

Tomorrow, I will have more to share on this afternoon’s breakout sessions and our final point/counterpoint session.  In between, I invite you to follow the conversation via Twitter using #BDAudit15, @bankdirector and/or @aldominck.

Posted on

About That Elephant Coming Out of the Corner (*hello cyber security & banking)

Last summer, a cyberattack on JPMorgan Chase by Russian hackers compromised the accounts of 83 million households and seven million small businesses.  While the New York Times reports the crime did not result in the loss of customer money or the theft of personal information, it was one of the largest such attacks against a bank.  A data breach like this illustrates the clear and present danger cyber criminals pose to the safety and soundness of the financial system.  In my opinion, there can be nothing more damaging to the reputation of, and confidence in, the industry as a whole than major security breaches.

Yesterday, Bank Director released its annual Risk Practices Survey, sponsored by FIS, the world’s largest global provider dedicated to banking and payments technologies. As I read through the results, it became immediately apparent that cyber security is the most alarming risk issue for individuals today.  So while I layout the demographics surveyed at the end of this piece, it is worth noting that 80% of those directors and officers polled represent institutions with between $500 million and $5 billion in assets — banks that are, in my opinion, more vulnerable than their larger counterparts as their investment in cyber protection pales to what JPMorgan Chase, Wells Fargo, etc are spending.  In fact, the banks we surveyed allocated less than 1% of revenues to cybersecurity in 2014.  Accordingly, I’m gearing my biggest takeaway to community bankers since those individuals most frequently cited cyber attacks as a top concern.

Interestingly, individual concern hasn’t yet translated into more focus by bank boards. Indeed, less than 20% say cybersecurity is reviewed at every board meeting — and 51% of risk committees do not review the bank’s cybersecurity plan.  As I read through our report, this has to be a wakeup call for bank boards. While a number of retailers have made the news because of hacks and data thefts, this remains an emerging, nuanced and constantly evolving issue.

It would not surprise me if bank boards start spending more time on this topic as they are more concerned than they were last year. But I do see the need to start requiring management to brief them regularly on this issue, and start educating themselves on the topic.  In terms of where to focus early conversations if you’re not already, let me suggest bank boards focus on:

  • The detection of cyber breaches and penetration testing;
  • Corporate governance related to cyber security;
  • The bank’s current (not planned) defenses against breaches; and
  • The security of third-party vendors.

Personally, I don’t doubt that boards will spend considerably more time on this issue — but things have changed a lot in the last year in terms of news on data breaches.  If bankers want to start assessing the cybersecurity plan in the same way they look at the bank’s credit policies and business plan, well, I’d sleep a lot sounder.

So I’ll go on record and predict that boards will become more aware and take on a more active role in the coming months — and also expect that regulators will start demanding that boards review cybersecurity plans, and that all banks have a cybersecurity plans.  To take this a step further, check out this piece by the law firm Arnold & Porter: Cybersecurity Risk Preparedness: Practical Steps for Financial Firms in the Face of Threats.

About this report

Bank Director’s research team surveyed 149 independent directors and senior executives of U.S. banks with more than $500 million in assets to examine risk management practices and governance trends, as well as how banks govern and manage cybersecurity risk. 43% of participants serve as an independent director or chairmen at their bank. 21% are CEOs, and 17% serve as the bank’s chief risk officer.

Posted on

Risk Management: Most Certainly An Ongoing Process

Next week, Bank Director releases its annual Risk Practices Survey.  In advance of that report, let me share an excerpt from a risk management-focused piece by KPMG’s Lynn McKenzie and Edmund Green — How a Board Can Credibly Challenge Management on Risk — that foreshadows some of the results. 

As our industry evolves, banks increasingly rely on complex models to support economic, financial and compliance decision-making processes. Considering the full board of a bank is ultimately responsible for understanding an institution’s key risks — and credibly challenging management’s assessment and response to those risks — let me share the eight considerations that KPMG wrote about for board members as they evaluate their risk oversight.

(1) Do our board members (particularly directors on audit or risk committees) know our bank’s top enterprise risks — those that threaten our bank’s strategy, business model, or existence?

(2) Does our bank have a formal risk management process? Do directors know how management identifies and manages risks, both existing and emerging, and if there is a process of accountability? Does the board have comfort that management has the proper talent to manage today’s risks?

(3) Does the bank have a formal risk appetite statement? If not, how does the board oversee that management is not taking risks outside of the bank’s stated risk tolerance? Is there a protocol to escalate a risk issue directly to the board? Is there evidence that management recognizes the critical need to timely communicate risk issues to board members? Is there a process for the board to evaluate the impact of compensation on management’s risk-taking?

(4) As the bank takes on new initiatives or offers new products and services, does the board understand the process to evaluate the risks prior to decisions being made? Is there a clear threshold for when items need to be brought to the board before finalizing a decision?

(5) In examining management’s reporting process, are directors concerned whether they are getting relevant data? Are they getting so much detail that it cannot be absorbed? Are they getting data at such a high level that it’s impossible to evaluate risk?

(6) Does the board recognize that risk management done well adds competitive advantage and value by addressing gaps in operations? Viewing risk management solely as a compliance function increases the chances of wasting time and money.

(7) Is the board ensuring that, in dealing with the regulators, the bank is “getting credit’’ for the risk management activities it is doing well by being able to describe the programs that have been instituted—or actions taken—that will enable the bank to “harvest value” from its enterprise risk management process?

(8) Finally, given the importance of “tone at the top,’’ are directors satisfied that the proper culture of “doing the right thing’’ exists across the organization?

##

As many know by now, the 2,300+ page Dodd-Frank Act requires publicly traded banks with more than $10 billion in assets to establish separate risk committees of the board, and banks over $50 billion to additionally hire chief risk officers.  Not surprisingly, many institutions under these thresholds have similarly established committees and recruited executives into their bank.

By taking a more comprehensive approach to risk management, I continue to see institutions reap the benefits with improved financial performance… and yes, this too foreshadows next week’s research report.  To view the entire KPMG article, here is the link (don’t worry, no registration required).  I’ll post more about the Risk Practices Survey along with a link to both the full results and summary report here next week.

%d bloggers like this: