3 Key Takeaways from Bank Director’s Audit & Risk Conference

A quick check-in from the Swissotel in Chicago, where we just wrapped up the main day of Bank Director’s 10th annual Bank Audit & Risk Committees Conference.  This is a fascinating event, one focused on key accounting, risk and regulatory issues aligned with the information needs of a bank’s Chairman, CEO, Bank Audit Committee, Bank Risk Committee, CFO, CRO and internal auditor.  Risk + strategy go hand in hand; today, we spent considerable time debating risk in the context of growing the bank.

By Al Dominick, President & CEO of Bank Director

Earlier today, while moderating a panel discussion, I referenced a KPMG report that suggests “good risk management and governance can be compared to the brakes of a car. The better the brakes, the faster the car can drive.”  With anecdotes like this ringing in my head, allow me to share three key takeaways:

  1. A company’s culture & code of conduct are critical factors in creating an environment that encourages compliance with laws and regulations.
  2. Risk appetite is a widely accepted concept that remains difficult, in practice, to apply.
  3. As a member of the board, do not lose sight of the need to maintain your skepticism.

This year’s program brings together 150+ financial institutions and more then 300 attendees. The demographics reflect the audience we serve, so I thought to share three additional trends.  Clearly, boards of directors are under pressure to evolve.  Financial institutions need the right expertise and experience and benefit greatly when their directors have diverse backgrounds.

Further, as more regulatory rules are written, board members need to understand what they mean and how they can affect their bank’s business.  Finally, technology strategies and risks are inextricably linked to corporate strategy; as such, the level of board engagement needs to increase.

Given the many issues — both known and unknown — a bank faces as our industry evolves, today made clear how challenging it can be for an audit or risk committee member to get comfortable addressing risk and issues.  Staying compliant requires a solid defense and appreciation for what’s now.  Staying competitive?  This requires a sharper focus given near constant pressures to reduce costs while dealing with increasing competition and regulation.

##

To see what we’re sharing on our social networks, I encourage you to follow @bankdirector @fin_x_tech and @aldominick.  Questions or comment?  Feel free to leave me a note below.

What To Do With FinTech

For the 699 financial institutions over $1Bn in asset size today, the drive to improve one’s efficiency ratio is a commonly shared goal.  In my mind, so too should be developing relationships with “friendly” financial technology (FinTech) companies.

By Al Dominick // @aldominick

Small banks in the United States — namely, the 5,705 institutions under $1Bn in assets* — are shrinking in relevance despite their important role in local economies.  At last week’s Bank Audit & Risk Committees Conference in Chicago, Steve Hovde, the CEO of the Hovde Group, cautioned some 260 bankers that the risks facing community banks continue to grow by the day, citing:

  • The rapid adoption of costly technologies at bigger banks;
  • Declining fee revenue opportunities;
  • Competition from credit unions and non-traditional financial services companies;
  • Capital (in the sense that larger banks have more access to it);
  • An ever-growing regulatory burden; and
  • The vulnerability all have when it comes to cyber crime.

While many community banks focus on survival, new FinTech companies have captured both consumer interest and investor confidence.  While some of the largest and most established financial institutions have struck relationships with various technology startups, it occurs to me that there are approximately 650 more banks poised to act — be it by taking the fight back to competitive Fintech companies or collaborating with the friendly ones.

According to John Depman, national leader for KPMG’s regional and community banking practice, “it is critical for community banks to change their focus and to look for new methods, products and services to reach new customer segments to drive growth.”  I agree with John, and approach the intersection of the financial technology companies with traditional institutions in the following manner:

For a bank CEO and his/her executive team, knowing who’s a friend, and who’s a potential foe — regardless of size — is hugely important.  It is also quite challenging when, as this article in Forbes shows, you consider that FinTech companies are easing payment processes, reducing fraud, saving users money, promoting financial planning and ultimately moving our giant industry forward.

This is a two-sided market in the sense that for a FinTech founder and executive team, identifying those banks open to partnering with, investing in, or acquiring emerging technology companies also presents great challenges, and also real upside.  As unregulated competition heats up, bank CEOs and their leadership teams continue to seek ways to not just stay relevant but to stand out.  In my opinion, working together benefits both established organizations and those startups trying to navigate the various barriers to enter this highly regulated albeit potentially lucrative industry.

*As of 6/1, the total number of FDIC-insured Institutions equaled 6,404. Within this universe, banks with assets greater than $1Bn totaled 699. Specifically, there are 115 banks with $10Bn+, 76 with $5Bn-$10Bn and 508 with $1Bn – $5Bn.

Main Areas of Focus for a Bank’s Audit and Risk Committees

What’s top-of-mind for a bank’s Audit and Risk committee members?  Let’s start with cyber security…

By Al Dominick // @aldominick

There are many challenges that bank boards & executives must address, and these two videos (one by our editor, Jack Milligan; the other, by me) briefly review current issues that demand attention + emerging ones that we took note of at this week’s Bank Audit & Risk Committees Conference at the JW Marriott in Chicago.

*For more on the risks facing banks today, take a look at this report from our conference (#BDAudit15).

How to Understand a Bank’s Audit and Risk Committees Issues in Three Steps

I’m in Chicago at Bank Director’s annual Bank Audit & Risk Committees Conference along with more than 260 bankers and some 315 total attendees.  At a time when audit and risk committees have an increasing amount of responsibilities, I’m impressed with the commitments made by attendees and speakers alike to tackle real issues as opposed to sugar coating the challenges before banks today.

As we move into a series of afternoon breakout sessions, I am taking a pause to share my observations on the day so far.  Having moderated a session that touched on how banks can enhance risk oversight capabilities and effectively challenge management on risk, let me try to make sense of the issues being faced by senior bankers and board members if you are not with us.

Step 1: Know Where We Are Coming From

Now that the worst of the financial crisis is behind them, you might think bank boards might finally breathe a sigh of relief.  You would be mistaken.  For example, we have been in an exceptionally low-interest rate environment — one that has caused net interest margins to decline significantly since 2000.  Moreover, growing the bank organically remains challenging with slow loan growth and changing consumer expectations.  Finally,  compliance costs and uncertainties continue to escalate.  So yes, for banks here with us in Chicago, the storm was weathered.  Still, significant risks and challenges remain in place.

Step 2: Accept Where We Are Today

Per our first speaker, Steve Hovde, it has become exceedingly more difficult to maintain net interest margins without growing loan balances.  As he made clear, banks with lower loan-to-deposit ratios operate with less overhead, but they have been unable to translate their lower operating costs into higher profitability over the long run.  In his words, loan growth is now paramount to profitability — and banks will need to find ways to generate loans either organically or (more likely) through M&A activity.

I know that many banks are struggling to find new revenue sources.  I also hear how bank boards are considering diversifying into new loan products and service offerings to attract and retain new and existing customers.  So, for banks considering new lending strategies or launching a new product or service, I made note that the audit committee, risk committee and internal auditor must collaborate to safeguard the organization by understanding an organization’s initiatives, limits and controls, all while understanding the risk monitoring that exists at the institution.

Step 3: Understand Where Things Are Heading

As we look ahead, it is quite clear that the largest banks in the U.S. (e.g. those above $50Bn in assets) have greatly benefited from their ability to spread fixed costs over a larger pool of earning assets.  They have lower efficiency ratios, more non-interest income and stronger earnings.  Since there are at most 30 banks that are above that $50Bn threshold out of some 6,500 banks, the risks facing most of the industry may take various forms but share similar origins.  That is, banks — and their boards — will continue to wrestle with technology issues, find fewer opportunities to replace declining fee revenue, deal with non-regulated “shadow” banks, struggle with regulatory cost burdens and expectations, face new cyber threats and have to address third-party vendor risks.

##

Tomorrow, I will have more to share on this afternoon’s breakout sessions and our final point/counterpoint session.  In between, I invite you to follow the conversation via Twitter using #BDAudit15, @bankdirector and/or @aldominck.

Quick Guide: Bank Mergers & Acquisitions

Mergers & Acquisitions will continue to serve as one of the biggest revenue drivers for banks in the United States.

By Al Dominick // @aldominick

I’m in Chicago to host Bank Director’s annual Bank Audit & Risk Committees Conference, an exclusive event for Chief Executive Officers, Chief Financial Officers, Chief Risk Officers, Chairmen and members of the board serving on an audit or risk committee.  As I reviewed my speaker notes on yesterday’s flight from D.C., it strikes me that of all of the risks facing a bank’s key leadership team today — e.g. regulatory, market, cyber — knowing when to buy, sell or grow independently has to be high on the list.

While we welcome officers and directors to a series of peer exchanges and workshops today, the main conference kicks off tomorrow morning. To open, we look at the strategic challenges, operating conditions and general outlook for those banks attending this annual event.  With public equities and M&A valuations at multi-year highs, numerous institutions having raised capital to position themselves as opportunistic buyers and sellers continuing to take advantage of a more favorable pricing environment, I thought to share three points about bank M&A for attendees and readers alike:

  1. In 2014, there were 289 whole-bank M&A transactions announced (and 18 failed-bank transactions) for a total of 307 deals. Through the first quarter of this year, there have been 67 whole-bank M&A transactions announced and just 4 failed-bank transactions.
  2. KPMG’s annual Community Banking Outlook Survey illustrates that M&A will be one of the biggest revenue drivers for community banks over the next three years, especially as community banks face the need to transform their businesses in an effort to reach new customer segments and streamline their operations.
  3. The continued strengthening of transaction pricing — with 2015 transaction multiples at the highest levels since 2008 — is an important and emerging trend.

According to Tom Wilson, a director of investment banking with the Hovde Groupmany of the factors driving the current M&A cycle have been well documented and remain largely unchanged.  These include improving industry fundamentals, increased regulatory costs, net interest margin compression in a low rate environment, industry overcapacity and economies of scale.  As he notes, while those themes have been playing out in various forms for several years, some additional themes are emerging that are significantly impacting the M&A environment; for example, “the advantages of scale are translating to a significant currency premium. For years we have seen a significant correlation between size, operating performance and currency strength. Lately, that trend has become a significant currency advantage for institutions with greater than $1 billion in assets and resulted in smaller institutions being constrained in their ability to compete for acquisition partners because of a weaker valuation.”

Moreover, an industry outlook published by Deloitte’s Center for Financial Services earlier this year says that the “M&A activity seen in 2014 is likely to continue through 2015, driven by a number of factors: stronger balance sheets, the pursuit of stable deposit franchises, improving loan origination, revenue growth challenges, and limits to cost efficiencies.” However, their 2015 Banking Outlook also acknowledged that “as banks move from a defensive to an offensive position to seek growth and scale, they should view M&A targets with a sharper focus on factors such as efficiencies, growth prospects, funding profile, technology, and compliance.”

##

For those looking for more on bank M&A, let me suggest a read of our current digital issue (available for free download through Apple’s App Store, Google Play and Amazon.com).  In it, we look at how to “bullet-proof” your deal from shareholder lawsuits and have a great video interview with ConnectOne Bank’s CEO, Frank Sorrentino, who talks about how his bank fought back against fee-seeking shareholder activists.  To follow the conversations from the JW Marriott and Bank Director’s annual Bank Audit & Risk Committees Conference, check out #BDAUDIT15, @bankdirector and @aldominick.

A Complete Guide to Bank Director’s Audit & Risk Committees Conference

Whether it is a complex product, new service or emerging line of business, this year’s Bank Audit & Risk Committees Conference examines the many issues and opportunities being faced in boardrooms at financial institutions of all sizes across the country.

By Al Dominick // @aldominick

While much has been written about how and where banks might grow, with new opportunities come new challenges.  With our industry undergoing significant change, boards must be highly informed in order to proactively oversee the management of security risks, compliance challenges and reputational issues.  At this year’s Bank Audit & Risk Committees Conference, we focus in on key accounting, risk and regulatory issues that challenge bankers and board members alike.  Today’s column tees up this year’s program, one that opens on Wednesday at the JW Marriott in Chicago, IL.

Screen Shot 2015-06-08 at 2.03.43 PM

Wednesday, June 10

Before the curtains officially come up, we offer a series of pre-conference programs; most notably, a series of peer exchanges exclusive to a bank’s audit and risk committee chairs.  Modeled upon our annual Bank Chairman/CEO Peer Exchange, small groups of directors meet in closed door, off-the-record peer exchanges for candid discussions about various hot topics.  In addition, we have added a cyber security workshop that allows attendees to play out various scenarios that involve a hack, breach or attack.  Finally, we offer a primer for newer audit and risk committee members and chairs that provides a framework for both roles and responsibilities.

Thursday, June 11

According to several bankers I have recently talked to, this has become a must-attend event for audit committee members, audit committee chairs, CEOs, CFOs, presidents, corporate secretaries, internal auditors, chief risk managers and other senior executives who works closely with the audit and/or risk committee.  This year, we cover pertinent issues such as enterprise risk management, fraud, relations with internal and external auditors, audit committee oversight and regulatory changes for banks.  It is this ability to focus in on critical concerns and complex scenarios to a very specific group of officers and directors that sets us apart from others.  At a time when audit and risk committee members are being asked to take on more responsibilities and perform at higher levels than ever before, the presentations made on day one are laser-focused on key financial, risk management and regulatory issues.

Friday, June 12

A significant imperative for members of a bank’s board today?  Fully integrate risk management, compliance and ethics “that fit” into a particular bank’s culture.  On day two, we look at how this might be done while addressing many other challenges.  Indeed, some of the key risks facing banks today (that regulators expect boards and senior managers to address) include:

  • Strategic risk as banks adapt business models to respond to the current economic and competitive landscapes;
  • Management succession and retention of key staff;
  • Loosening loan underwriting standards;
  • Expansion into new products and services;
  • Exposure to interest rate risk;
  • Oversight of third party service providers;
  • Increased volume and sophistication of cyber threats;
  • BSA/AML risk from higher-risk services and customer relationships; and
  • Maintaining effective compliance management systems.

The presenters at this event are some of the leading experts in accounting, legal, consulting and regulatory areas, as well as experienced bank officers and directors.  From Sullivan & Cromwell to KPMG, Arnold & Porter to Crowe, Latham & Watkins to FIS, we are pleased to bring some of the industry’s foremost advisors together in Chicago.

##

To follow the conversation via Twitter, check out #BDAUDIT15, @bankdirector and @aldominick.

About That Elephant Coming Out of the Corner (*hello cyber security & banking)

Last summer, a cyberattack on JPMorgan Chase by Russian hackers compromised the accounts of 83 million households and seven million small businesses.  While the New York Times reports the crime did not result in the loss of customer money or the theft of personal information, it was one of the largest such attacks against a bank.  A data breach like this illustrates the clear and present danger cyber criminals pose to the safety and soundness of the financial system.  In my opinion, there can be nothing more damaging to the reputation of, and confidence in, the industry as a whole than major security breaches.

Yesterday, Bank Director released its annual Risk Practices Survey, sponsored by FIS, the world’s largest global provider dedicated to banking and payments technologies. As I read through the results, it became immediately apparent that cyber security is the most alarming risk issue for individuals today.  So while I layout the demographics surveyed at the end of this piece, it is worth noting that 80% of those directors and officers polled represent institutions with between $500 million and $5 billion in assets — banks that are, in my opinion, more vulnerable than their larger counterparts as their investment in cyber protection pales to what JPMorgan Chase, Wells Fargo, etc are spending.  In fact, the banks we surveyed allocated less than 1% of revenues to cybersecurity in 2014.  Accordingly, I’m gearing my biggest takeaway to community bankers since those individuals most frequently cited cyber attacks as a top concern.

Interestingly, individual concern hasn’t yet translated into more focus by bank boards. Indeed, less than 20% say cybersecurity is reviewed at every board meeting — and 51% of risk committees do not review the bank’s cybersecurity plan.  As I read through our report, this has to be a wakeup call for bank boards. While a number of retailers have made the news because of hacks and data thefts, this remains an emerging, nuanced and constantly evolving issue.

It would not surprise me if bank boards start spending more time on this topic as they are more concerned than they were last year. But I do see the need to start requiring management to brief them regularly on this issue, and start educating themselves on the topic.  In terms of where to focus early conversations if you’re not already, let me suggest bank boards focus on:

  • The detection of cyber breaches and penetration testing;
  • Corporate governance related to cyber security;
  • The bank’s current (not planned) defenses against breaches; and
  • The security of third-party vendors.

Personally, I don’t doubt that boards will spend considerably more time on this issue — but things have changed a lot in the last year in terms of news on data breaches.  If bankers want to start assessing the cybersecurity plan in the same way they look at the bank’s credit policies and business plan, well, I’d sleep a lot sounder.

So I’ll go on record and predict that boards will become more aware and take on a more active role in the coming months — and also expect that regulators will start demanding that boards review cybersecurity plans, and that all banks have a cybersecurity plans.  To take this a step further, check out this piece by the law firm Arnold & Porter: Cybersecurity Risk Preparedness: Practical Steps for Financial Firms in the Face of Threats.

About this report

Bank Director’s research team surveyed 149 independent directors and senior executives of U.S. banks with more than $500 million in assets to examine risk management practices and governance trends, as well as how banks govern and manage cybersecurity risk. 43% of participants serve as an independent director or chairmen at their bank. 21% are CEOs, and 17% serve as the bank’s chief risk officer.

Guest Post: Variety is the Spice of Life

As promised, a special guest author for this Friday’s column: Bank Director magazine’s Managing Editor, Naomi Snyder.  Having shared my key takeaways from our annual Bank Audit & Risk Committees conference on Wednesday and Thursday, I invited Naomi to share her post-conference thoughts on my blog.  So this morning’s title is as much about truth in advertising as it is an invitation to learn what my friend and colleague deemed timely and relevant.

012

At Al’s request, I’m going to step in and give a quick recap of Bank Director’s Audit and Risk Committees Conference in Chicago this week.  As you can tell from this picture, nearly 300 people attended our conference at The Palmer House hotel and they got a lot of frightening news about risks for their financial institutions, including cyber risk, interest rate risk, compliance and reputation risk in the age of social media.  I’m going to address three of those points today.

Interest Rate Risk

Many banks are extending credit at a fixed rate of interest for longer terms in an effort to compete and generate much-needed returns. This will be a problem for some of them when interest rates rise and low cost deposits start fleeing for higher rates elsewhere. You could assume the liability/asset equation will equal out, but will it? Steve Hovde, the president and CEO of the investment bank Hovde Group in Chicago, is worried about a bubble forming, saying he has seen credit unions offer 10- or 15-year fixed rate loans at 3.25 percent interest. “I’m seeing borrowers get better deals with good credit quality than they have ever gotten in history,” he says.

Reputation Risk

In an age of social media, anyone can and does tweet or post on Facebook any complaint against your bank. Cyber attacks, such as the one that befell Target Corp., can be devastating and cost the CEO his or her job. Rhonda Barnat, managing director of The Abernathy MacGregor Group Inc., says it’s important not to cater to TV news, such as telling a reporter that your employee’s laptop was stolen at a McDonald’s with sensitive customer information, prompting a visit by the camera crew to the McDonald’s. Not disclosing how many customer records were stolen could keep you off the front page. Focus on the people who matter most: your customers and investors and possibly, your regulators. They want to know how you are going to fix the problem that impacts them.

Compliance Risk

Regulators are increasingly breathing down the necks of bank directors, wanting evidence the board is actively engaged and challenging management. The official minutes need to reflect this demand, without necessarily going overboard with 25 pages of detailed discussion, for example. Local regulators are increasingly deferring questions to Washington, D.C., where they can get stuck in limbo. When regulators do give guidance, it is often only verbal and can cross the line into making business decisions for the bank, says Robert Fleetwood, a partner at Barack Ferrazzano in Chicago. In such an environment, it’s important to have good relations with your regulators and to keep them informed.

##

About Naomi: Prior to joining our team, she spent 13 years as a business reporter for newspapers in South Carolina, Texas and Tennessee. Most recently, she was a reporter for The Tennessean, Nashville’s daily newspaper. She also was a correspondent for USA Today. Naomi has a bachelor’s degree from the University of Michigan and a master’s degree in Journalism from the University of Illinois.  To follow her wit and wisdom on Twitter, follow @naomisnyder.

The Bank Audit & Risk Committees Conference – Day Two Wrap Up

With all of the information provided at this year’s Bank Audit & Risk Committees conference(#BDAudit14 via @bankdirector), I think it is fair to write that some attendees might be heading home thinking “man, that was like taking a refreshing drink from a firehose.”  As I reflect on my time in Chicago this week, it strikes me that many of the rules and requirements being placed on the biggest banks will inevitably trickle down to smaller community banks.  Likewise, the risks and challenges being faced by the biggest of the big will also plague the smallest of the small.  Below, I share two key takeaways from yesterday’s presentations along with a short video recap that reminds bankers that competition comes in many shapes and sizes.

The Crown Fountain in Millennium Park
The Crown Fountain in Millennium Park

Trust, But Verify

To open her “New Audit Committee Playbook” breakout session, Crowe Horwath’s Jennifer Burke reinforced lessons from previous sessions that a bank’s audit committee is the first line of defense for the board of directors and shareholders.  Whether providing oversight to management’s design and implementation with respect to internal controls to consideration of fraud risks to the bank, she made clear the importance of an engaged and educated director.  Let me share three “typical pitfalls” she identified for audit committee members to steer clear of:

  1. Not addressing complex accounting issues;
  2. Lack of open lines of communication to functional managers; and
  3. Failure to respond to warning event.

To these points, let me echo her closing remarks: it is imperative that a board member understand his/her responsibility and get help from outside resources (e.g. attorneys, accountants, consultants, etc.) whenever needed.

Learn From High-profile Corporate Scandals

Many business leaders are increasingly aware of the need to create company-specific anti-fraud measures to address internal corporate fraud and misconduct.  For this reason, our final session looked at opening an investigation from the board’s point-of-view.  Arnold & Porter’s Brian McCormally kicked things off with a reminder that the high-profile cyber hacks of Neiman Marcus and Target aren’t the only high-profile corporate scandals that bankers can learn from.  The former head of enforcement at the OCC warned that regulators today increasingly expect bank directors to actively investigate operational risk management issues.  KPMG’s Director of Fraud Risk Management, Ken Jones, echoed his point.  Ken noted the challenge for bank executives and board members is “developing a comprehensive effort to (a) understand the US compliance and enforcement mandates — and how this criteria applies to them; (b) identify the types of fraud that impact the organization; (c) understand various control frameworks and the nature of controls; (d) integrate risk assessments, codes of conduct, and whistleblower mechanisms into corporate objectives; and (e) create a comprehensive anti-fraud program that manages and integrates prevention, detection, and response efforts.”

A One-Minute Video Recap

##

To comment on this piece, click on the green circle with the white plus (+) sign on the bottom right. If you are on twitter, I’m @aldominick.  P.S. — check back tomorrow for a special guest post on AboutThatRatio.com.

The Bank Audit & Risk Committees Conference – Day One Wrap Up

Fundamentally, risk oversight is a responsibility of the board.  One big takeaway from yesterday’s Bank Audit and Risk Committees conference (#BDAudit14 via @bankdirector): the regulatory framework has changed considerably over the past 12 to 18 months — with less focus being placed on things like asset quality and more on operational risks and new product offerings.  To this end, I get the sense officers and directors cannot always wait for the Federal Reserve or other agencies to release guidance to get a sense of the potential impact on their institution.

photo-13
Frank Gehry’s Chicago masterpiece

Trending Topics

Overall, the issues I took note of were, in no particular order: (a) when it comes to formulating a risk appetite, no one size fits all; (b) a bank’s CEO and/or Chairman should establish a formal, ongoing training program for independent directors that provides training on complex products, services, lines of business and risks that have a significant impact on the institution; (c) bank examiners are increasingly asking more probing questions regarding new products and services & third-party vendor risk; (d) the DOJ’s “Operation Chokepoint” use of the banking system to identify fraud and criminal activity in certain areas perceived as high risk was mentioned in three different general sessions; and (e) cyber security is the hot topic.

A Two and a Half Minute Recap

##

To comment on this piece, click on the green circle with the white plus (+) sign on the bottom right. More from the Palmer House in Chicago, IL later today on twitter (@aldominick) and again tomorrow on this site.