An Easy Way to Lose Sight of Critical Risks

CHICAGO — Let me ask you a question:

How does the executive team at your biggest competitor think about their future? Are they fixated on asset growth or loan quality? Gathering low-cost deposits? Improving their technology to accelerate the digital delivery of new products? Finding and training new talent?

The answers don’t need to be immediate or precise. But we tend to fixate on the issues in front of us and ignore what’s happening right outside our door, even if the latter issues are just as important.

Yet, any leader worth their weight in stock certificates will say that taking the time to dig into and learn about other businesses, even those in unrelated industries, is time well spent.

Indeed, smart executives and experienced outside directors prize efficiency, prudence and smart capital allocation in their bank’s dealings. But here’s the thing: Your biggest—and most formidable—competitors strive for the same objectives.

So when we talk about trending topics at today and tomorrow’s Bank Audit and Risk Committees Conference in Chicago, we do so with an eye not just to the internal challenges faced by your institution but on the external pressures as well.

As my team at Bank Director prepares to host 317 women and men from banks across the country this morning, let me state the obvious: Risk is no stranger to a bank’s officers or directors. Indeed, the core business of banking revolves around risk management—interest rate risk, credit risk, operational risk. To take things a step further:

Given this, few would dispute the importance of the audit committee to appraise a bank’s business practices, or of the risk committee to identify potential hazards that could imperil an institution. Banks must stay vigilant, even as they struggle to respond to the demands of the digital revolution and heightened customer expectations.

I can’t overstate the importance of audit and risk committees keeping pace with the disruptive technological transformation of the industry. That transformation is creating an emergent banking model, according to Frank Rotman, a founding partner of venture capital firm QED Investors. This new model focuses banks on increasing engagement, collecting data and offering precisely targeted solutions to their customers.

If that’s the case—given the current state of innovation, digital transformation and the re-imagination of business processes—is it any wonder that boards are struggling to focus on risk management and the bank’s internal control environment?

When was the last time the audit committee at your bank revisited the list of items that appeared on the meeting agenda or evaluated how the committee spends its time? From my vantage point, now might be an ideal time for audit committees to sharpen the focus of their institutions on the cultures they prize, the ethics they value and the processes they need to ensure compliance.

And for risk committee members, national economic uncertainty—given the political rhetoric from Washington and trade tensions with U.S. global economic partners, especially China—has to be on your radar. Many economists expect an economic recession by June 2020. Is your bank prepared for that?

Bank leadership teams must monitor technological advances, cybersecurity concerns and an ever-evolving set of customer and investor expectations. But other issues can’t be ignored either.

So as I prepare to take the stage to kick off this year’s Bank Audit and Risk Committees Conference, I encourage everyone to remember that minds are like parachutes. In the immortal words of musician Frank Zappa: “It doesn’t work if it is not open.”

3 Trends (and 3 Issues) Every Bank’s Board Needs To Consider

Quickly:

  • The challenges faced by financial institutions today are as numerous as they are nuanced. Be it data security, emerging technology, fraud, crisis management and/or the effectiveness of internal controls, I opened the 12th annual Bank Audit & Risk Committees Conference by laying out a number of key governance, risk and compliance issues and trends.

CHICAGO — While a sophomore at Washington & Lee University, a professor loudly (and unexpectedly) chastised a close friend of mine for stating the obvious. With a wry laugh, he thanked my classmate “for crashing through an open door.” Snark aside, his criticism became a rallying cry for me to pause and dive deeper into apparently simple questions or issues.

Audit16x9

I shared this anecdote with some 400 attendees earlier today; indeed, I teed up Bank Director’s annual program by reminding everyone from the main stage that:

  1. We’re late in the economic cycle;
  2. Rates are rising; and
  3. Pressure on lending spreads remains intense.

Given the composition of this year’s audience, I acknowledged the obvious nature of these three points. I did so, however, in order to surface three trends we felt all here should have on their radar.  I followed that up with three emerging issues to make note of.

TREND #1:
Big banks continue to roll-out exceptional customer-facing technology.

Wells Fargo has been kicked around a lot in the press this year, but to see how big banks continue to pile up retail banking wins, take a look at Greenhouse by Wells Fargo, their app designed to attract younger customers to banking.

TREND #2:
Traditional core IT providers — Fiserv, Jack Henry & FIS — are under fire.

As traditional players move towards digital businesses, new players continue to emerge to help traditional banks become more nimble, flexible and competitive.  Here, FinXact and Nymbus provide two good examples of legitimate challengers to legacy cores.

TREND #3:
Amazon lurks as the game changer.

Community banker’s fear Amazon’s potential entry into this market; according to Promontory Interfinancial Network’s recent business outlook, it is their greatest threat.

In addition to these trends, I surfaced three immediate issues that banks must tackle

ISSUE #1:
Big banks attract new deposits at a much faster pace than banks with less than $1 billion assets.

If small banks can’t easily and efficiently attract deposits, they basically have no future. ‘Nuf said.

ISSUE #2: 
Bank boards need to know if they want to buy, sell or grow independently.

In a recent newsletter, Tom Brown of Second Curve Capital opined that “if you have less than $5 billion in assets, an efficiency ratio north of 65%, deposit costs above 60 basis points, and earn a return on equity in the single digits, this really is time to give some thought to selling.”  As I shared on LinkedIn yesterday, the 3 biggest bank M&A deals of the year took place in May: Fifth Third Bancorp’s $4.6 billion purchase of MB Financial, Cadence Bancorp’s $1.3 billion acquisition of State Bank Financial and Independent Bank Group’s $1 billion agreement to buy Guaranty Bancorp. 
 I don’t see the pace of consolidation slowing any time soon — and know that banks need to ask if they want (and can) be buyers or sellers.

ISSUE #3:
The risk of data breaches across industries continues to increase.

Be it risk management, internal control or third-party security considerations, every aspect of an institution is susceptible to a data breach — and managing these threats and identifying appropriate solutions takes a village that includes the most senior leaders of an organization.

##

Just as banks need to develop their audit and risk capabilities, skills and talents, so too do officers and directors have both an opportunity and the responsibility to stay abreast of various trends and topics.  Bank Director’s event continues tomorrow with some fascinating presentations. To see what’s been shared already, take a look at Twitter, where I’m tweeting using @aldominick and #BDAudit18.

Cybersecurity and the Fintech Wave

Earlier this month, at Bank Director’s FinTech Day at Nasdaq’s MarketSite in New York City, I noted how many technology firms are developing strategies, practices and tools that will dramatically influence how banking gets done in the future. Concomitantly, I expressed an optimism that banks are learning from these new players, adapting their offerings and identifying opportunities to collaborate with new “digital-first” businesses.  Unfortunately, with great opportunity comes significant risk (and today’s post looks at a major one challenging bank CEOs and their boards). 

By Al Dominick, President & CEO, Bank Director

To grow your revenue, deposits, brand, market size and/or market share requires both strong leadership and business strategy.  Right now, there are a handful of banks developing niche vertical lines of business to compete with the largest institutions. For instance, East West Bancorp, EverBank Financial, First Republic Bank, Opus Bank, PacWest Bancorp, Signature Bank and Texas Capital Bancshares.

Just as compelling as each bank’s approach to growing their business is the idea that new competitors in direct and mobile banking will spur the digitalization of our industry.  I am a firm believer that through partnerships, acquisitions or direct investments, incumbents and upstarts alike have many real and distinct opportunities to grow and scale while improving the fabric of the financial community.

However, with myriad opportunities to leverage new technologies comes significant risk, a fact not lost on the bank executives and board members who responded to Bank Director’s 2016 Risk Practices Survey, sponsored by FIS.  For the second year running, they indicate that cybersecurity is their top risk concern.

More respondents (34 percent) say their boards are reviewing cybersecurity at every board meeting, compared to 18 percent in last year’s survey, indicating an enhanced focus on cybersecurity oversight. Additionally, more banks are now employing a chief information security officer (CISO), who is responsible for day-to-day management of cybersecurity.

However, the survey results also reveal that many banks still aren’t doing enough to protect themselves—and their customers. Less than 20 percent of respondents say their bank has experienced a data breach, but those who do are just as likely to represent a small institution as a large one, further proof that cybersecurity can no longer be discussed as only a “big bank” concern.

For those thinking about the intersection of fintechs and banks, take a look at our just-released 2016 Risk Practices Survey. This year, we examine risk governance trends at U.S. banks, including the role of the chief risk officer and how banks are addressing cybersecurity. The survey was completed in January by 161 independent directors, chief risk officers (CRO), chief executive officers (CEO) and other senior executives of U.S. banks with more than $500 million in assets.

Key Findings Include:

  • Sixty-two percent of respondents indicate their bank has used the cybersecurity assessment tool made available by the Federal Financial Institutions Examination Council, and have completed an assessment. However, only 39 percent have validated the results of the assessment, and only 18 percent have established board-approved triggers for update and reporting. FWIW, bank regulators have started to use the tool in exams, and some states are mandating its use.
  • Seventy-eight percent indicate that their bank employs a full-time CISO, up from 64 percent in last year’s survey.
  • The majority, at 62 percent, say the board primarily oversees cybersecurity within the risk or audit committee. Twenty-six percent govern cybersecurity within the technology committee.
  • Forty-five percent indicate that detecting malicious insider activity or threats is an area where the bank is least prepared for a cyberattack or data breach.
  • Just 35 percent test their bank’s cyber-incident management and response plan quarterly or annually.

Clearly, banks are increasingly relying on complex models to support economic, financial and compliance decision-making processes.  Considering the full board of a bank is ultimately responsible for understanding an institution’s key risks — and credibly challenging management’s assessment and response to those risks — I am pleased to share this year’s report as part of our commitment to providing timely & relevant information to the banking community.

What To Do With FinTech

For the 699 financial institutions over $1Bn in asset size today, the drive to improve one’s efficiency ratio is a commonly shared goal.  In my mind, so too should be developing relationships with “friendly” financial technology (FinTech) companies.

By Al Dominick // @aldominick

Small banks in the United States — namely, the 5,705 institutions under $1Bn in assets* — are shrinking in relevance despite their important role in local economies.  At last week’s Bank Audit & Risk Committees Conference in Chicago, Steve Hovde, the CEO of the Hovde Group, cautioned some 260 bankers that the risks facing community banks continue to grow by the day, citing:

  • The rapid adoption of costly technologies at bigger banks;
  • Declining fee revenue opportunities;
  • Competition from credit unions and non-traditional financial services companies;
  • Capital (in the sense that larger banks have more access to it);
  • An ever-growing regulatory burden; and
  • The vulnerability all have when it comes to cyber crime.

While many community banks focus on survival, new FinTech companies have captured both consumer interest and investor confidence.  While some of the largest and most established financial institutions have struck relationships with various technology startups, it occurs to me that there are approximately 650 more banks poised to act — be it by taking the fight back to competitive Fintech companies or collaborating with the friendly ones.

According to John Depman, national leader for KPMG’s regional and community banking practice, “it is critical for community banks to change their focus and to look for new methods, products and services to reach new customer segments to drive growth.”  I agree with John, and approach the intersection of the financial technology companies with traditional institutions in the following manner:

For a bank CEO and his/her executive team, knowing who’s a friend, and who’s a potential foe — regardless of size — is hugely important.  It is also quite challenging when, as this article in Forbes shows, you consider that FinTech companies are easing payment processes, reducing fraud, saving users money, promoting financial planning and ultimately moving our giant industry forward.

This is a two-sided market in the sense that for a FinTech founder and executive team, identifying those banks open to partnering with, investing in, or acquiring emerging technology companies also presents great challenges, and also real upside.  As unregulated competition heats up, bank CEOs and their leadership teams continue to seek ways to not just stay relevant but to stand out.  In my opinion, working together benefits both established organizations and those startups trying to navigate the various barriers to enter this highly regulated albeit potentially lucrative industry.

*As of 6/1, the total number of FDIC-insured Institutions equaled 6,404. Within this universe, banks with assets greater than $1Bn totaled 699. Specifically, there are 115 banks with $10Bn+, 76 with $5Bn-$10Bn and 508 with $1Bn – $5Bn.

Main Areas of Focus for a Bank’s Audit and Risk Committees

What’s top-of-mind for a bank’s Audit and Risk committee members?  Let’s start with cyber security…

By Al Dominick // @aldominick

There are many challenges that bank boards & executives must address, and these two videos (one by our editor, Jack Milligan; the other, by me) briefly review current issues that demand attention + emerging ones that we took note of at this week’s Bank Audit & Risk Committees Conference at the JW Marriott in Chicago.

*For more on the risks facing banks today, take a look at this report from our conference (#BDAudit15).

A Complete Guide to Bank Director’s Audit & Risk Committees Conference

Whether it is a complex product, new service or emerging line of business, this year’s Bank Audit & Risk Committees Conference examines the many issues and opportunities being faced in boardrooms at financial institutions of all sizes across the country.

By Al Dominick // @aldominick

While much has been written about how and where banks might grow, with new opportunities come new challenges.  With our industry undergoing significant change, boards must be highly informed in order to proactively oversee the management of security risks, compliance challenges and reputational issues.  At this year’s Bank Audit & Risk Committees Conference, we focus in on key accounting, risk and regulatory issues that challenge bankers and board members alike.  Today’s column tees up this year’s program, one that opens on Wednesday at the JW Marriott in Chicago, IL.

Screen Shot 2015-06-08 at 2.03.43 PM

Wednesday, June 10

Before the curtains officially come up, we offer a series of pre-conference programs; most notably, a series of peer exchanges exclusive to a bank’s audit and risk committee chairs.  Modeled upon our annual Bank Chairman/CEO Peer Exchange, small groups of directors meet in closed door, off-the-record peer exchanges for candid discussions about various hot topics.  In addition, we have added a cyber security workshop that allows attendees to play out various scenarios that involve a hack, breach or attack.  Finally, we offer a primer for newer audit and risk committee members and chairs that provides a framework for both roles and responsibilities.

Thursday, June 11

According to several bankers I have recently talked to, this has become a must-attend event for audit committee members, audit committee chairs, CEOs, CFOs, presidents, corporate secretaries, internal auditors, chief risk managers and other senior executives who works closely with the audit and/or risk committee.  This year, we cover pertinent issues such as enterprise risk management, fraud, relations with internal and external auditors, audit committee oversight and regulatory changes for banks.  It is this ability to focus in on critical concerns and complex scenarios to a very specific group of officers and directors that sets us apart from others.  At a time when audit and risk committee members are being asked to take on more responsibilities and perform at higher levels than ever before, the presentations made on day one are laser-focused on key financial, risk management and regulatory issues.

Friday, June 12

A significant imperative for members of a bank’s board today?  Fully integrate risk management, compliance and ethics “that fit” into a particular bank’s culture.  On day two, we look at how this might be done while addressing many other challenges.  Indeed, some of the key risks facing banks today (that regulators expect boards and senior managers to address) include:

  • Strategic risk as banks adapt business models to respond to the current economic and competitive landscapes;
  • Management succession and retention of key staff;
  • Loosening loan underwriting standards;
  • Expansion into new products and services;
  • Exposure to interest rate risk;
  • Oversight of third party service providers;
  • Increased volume and sophistication of cyber threats;
  • BSA/AML risk from higher-risk services and customer relationships; and
  • Maintaining effective compliance management systems.

The presenters at this event are some of the leading experts in accounting, legal, consulting and regulatory areas, as well as experienced bank officers and directors.  From Sullivan & Cromwell to KPMG, Arnold & Porter to Crowe, Latham & Watkins to FIS, we are pleased to bring some of the industry’s foremost advisors together in Chicago.

##

To follow the conversation via Twitter, check out #BDAUDIT15, @bankdirector and @aldominick.

The Bank Audit & Risk Committees Conference – Day One Wrap Up

Fundamentally, risk oversight is a responsibility of the board.  One big takeaway from yesterday’s Bank Audit and Risk Committees conference (#BDAudit14 via @bankdirector): the regulatory framework has changed considerably over the past 12 to 18 months — with less focus being placed on things like asset quality and more on operational risks and new product offerings.  To this end, I get the sense officers and directors cannot always wait for the Federal Reserve or other agencies to release guidance to get a sense of the potential impact on their institution.

photo-13
Frank Gehry’s Chicago masterpiece

Trending Topics

Overall, the issues I took note of were, in no particular order: (a) when it comes to formulating a risk appetite, no one size fits all; (b) a bank’s CEO and/or Chairman should establish a formal, ongoing training program for independent directors that provides training on complex products, services, lines of business and risks that have a significant impact on the institution; (c) bank examiners are increasingly asking more probing questions regarding new products and services & third-party vendor risk; (d) the DOJ’s “Operation Chokepoint” use of the banking system to identify fraud and criminal activity in certain areas perceived as high risk was mentioned in three different general sessions; and (e) cyber security is the hot topic.

A Two and a Half Minute Recap

##

To comment on this piece, click on the green circle with the white plus (+) sign on the bottom right. More from the Palmer House in Chicago, IL later today on twitter (@aldominick) and again tomorrow on this site.

Bank Director in the Wall Street Journal

images

As the sun shines down on Washington, D.C., some “light” Saturday morning reading on the Wall Street Journal’s Risk + Compliance Journal this morning:

Banks with a separate board-level risk committee report a higher median return on assets and return on equity compared to banks that govern risk within a combined audit/risk committee or within the audit committee, according to the Risk Practices Survey from Bank Director and banking and payments technology company FIS. The survey found smaller banks are adopting risk practices required only of much larger companies, and that almost all banks with more than $1 billion in assets now have a chief risk officer and 63% govern risk within a separate risk committee of the board.

To read the full piece on recent surveys and reports dealing with risk and compliance issues, click here.