At around a quarter to seven o’clock on the evening of Saturday, May 11, firefighters showed up at Enloe State Bank in Cooper, Texas, to find a stack of papers on fire on the conference room table.
“We believe it is suspicious,” said the sheriff, “but we don’t have any more information at this point.” Three weeks later, regulators seized the bank "due to insider abuse and fraud by former officers,” according to Texas Banking Commissioner Charles Cooper.
It’s fair to say that Enloe State Bank is an outlier. It was the first bank to fail in a year and a half, in fact. And one can’t help but wonder what would lead someone to set papers ablaze on a conference room table.
Yet, incidents like this are important for bank executives and directors to register, because they underscore the importance of proactive oversight by a bank’s board—especially the audit and risk committees.
“The essence of the audit committee’s responsibilities is protecting the bank,” said Derrick Hong, the chief audit executive at Pacific Premier Bank, at Bank Director’s 2019 Bank Audit & Risk Committees Conference taking place in Chicago this week. “There are so many pitfalls and risks that could potentially take down a bank, so focusing on those things is the key responsibility of the audit committee.”
Admittedly, it seems like an odd time to worry about risk.
Bank capital levels have never been stronger or of higher quality, noted Steven Hovde, chairman and CEO of Hovde Group. Net charge-offs are lower across the industry than they’ve been in decades. And tax reform has catalyzed profitability. Despite narrow lending margins and subpar efficiency, the banking industry is once again earning more than 1 percent on its assets, exceeding the benchmark threshold last year for the first time since the financial crisis.
But it’s in the good times like these that banking’s troubles are sowed.
“You have to be proactive rather than reactive,” said Mike Dempsey, senior manager at Dixon Hughes Goodman LLP. This approach stems from culture, said Dempsey’s co-presenter LeAnne Staalenburg, senior vice president in charge of corporate security and risk at Capital City Bank Group.
“Culture is key,” said Stallenburg. “Having that culture spread throughout the organization is critical to having a successful risk management program.”
To be clear, the biggest threat to banks currently isn’t bad loans. Credit policy isn’t something to ignore, of course, because loan losses will climb when the cycle takes a turn for the worse. But banks have plenty of capital to absorb those losses, and memories of the last crisis are still fresh in many risk managers’ minds.
The biggest threat isn’t related to funding, either. Even though bankers are concerned about large institutions taking deposit market share as interest rates climb, 74 percent of attendees at Bank Director’s Audit & Risk Committees Conference said their institutions either maintained their existing share or gained share as rates inched higher.
Instead, according to conference attendees, the biggest threat is related to technology. When asked which categories of risk they were most concerned about, 69 percent identified cybersecurity as the No. 1 threat.
Vendor relationships only aggravate this concern. As Staalenburg and Dempsey noted in response to an attendee’s question, vendors offer another way for malicious actors to infiltrate a bank.
Even though we are in a golden age of banking, Hovde emphasized, now is not the time for a bank’s board, and particularly its audit and risk committees, to be complacent.
“Generally, we have seen that the institutions that are well run and have fewer problems are under the oversight of an engaged and well-informed board of directors,” wrote Kansas City Federal Reserve President Esther George in the Fed’s governance manual, Basics for Bank Directors. “Conversely, in cases where banks have more severe problems and recurring issues, it is not uncommon to find a disengaged board that may be struggling to understand its role and fulfill its fiduciary responsibilities.”