“I know what many of you are thinking. You’re thinking, ‘This man is duplicitous. You’re thinking that he has held things close to his chest. You’re thinking that he did not respond fully to the desires and wishes of the American people. And I want to tell you ‘you’re wrong.’”
–Robert S. McNamara in “The Fog of War,” a documentary.
Defense Secretary Robert McNamara made a lot of unfortunate decisions during the Vietnam War, depicted in the 2003 documentary, “The Fog of War.” Some of the battles that banks face are obviously not as horrifying as an actual war. But they do involve a great deal of money. And any decisions involving a great deal of money require a great deal of care. Banks and their customers are under increasing attack by highly sophisticated cyber criminals successfully stealing confidential information and hundreds of millions or even billions of dollars. (There is no comprehensive official number or record keeping.) Bank boards are trying to figure out how to respond and what to do to provide proper oversight of their security apparatus.
“In terms of cyber crime, a lot of us think it’s going to get worse before it gets better,” said Ken Jones, director of fraud risk management at the consulting firm KPMG, speaking to an audience of about 300 people at Bank Director’s Bank Audit & Risk Committees Conference in Chicago recently. “The (community banks) here are absolutely a focus of the international cyber criminals.”
While some vendors may have a personal interest in terrifying you, it was clear to me that many bank directors in the audience are very concerned about cyber attacks and whether their banks are adequately addressing the problem. Is your bank staff staying abreast of threats, using security software the way it was intended and keeping a keen eye on your IT vendors? Other threats that could prove to be very costly in the years ahead include:
Interest rate risk. Many banks are extending credit at a fixed rate of interest for longer terms in an effort to compete and generate much-needed returns. This will be a problem for some of them when interest rates rise and low cost deposits start fleeing for higher rates elsewhere. You could assume the asset/liability equation will equal out, but will it? Steve Hovde, president and CEO of the investment bank Hovde Group in Chicago, is worried about financial institutions taking on too much interest rate risk, as he has seen credit unions offer 10- or 15-year fixed-rate loans at 3.25 percent interest. “I’m seeing borrowers get better deals with good credit quality than they have ever gotten in history,” he said at the conference.
Reputation risk. In the age of social media, anyone can and does publicize to hundreds of friends any complaint against a bank. Cyber attacks, such as the one that befell Target Corp., can be devastating and cost the CEO his or her job. Rhonda Barnat, managing director of The Abernathy MacGregor Group Inc., says it’s important not to give TV news an incentive to do a story, such as telling a reporter that your employee’s laptop was stolen at a McDonald’s with sensitive customer information, prompting a visit by the camera crew to the McDonald’s. As of now, there is no requirement to publicly disclose the number of records stolen, so public relations firms such as The Abernathy MacGregor Group urge circumspection. Disclosing a theft, but not disclosing how many customer records were stolen, could keep you off the front page of the local newspaper. Focus on the people who matter most: your customers, investors and possibly, your regulators. They want to know how you are going to fix the problem.
Compliance risk. Regulators are increasingly breathing down the necks of bank directors, wanting evidence that the board is actively engaged and challenging management. The official minutes need to reflect this demand, without necessarily going overboard with 25 pages of detailed discussion, for example. Local regulators are increasingly deferring questions to Washington, D.C., where they can get stuck in limbo. When regulators do give guidance, it is often only verbal rather than written and can cross the line into making business decisions for the bank, said Robert Fleetwood, a partner at Barack Ferrazzano in Chicago. In such an environment, it’s important to have good relations with your regulators and to keep them informed.
*Thanks to Wintrust Financial Corp.’s audit committee Chairman Ingrid Stafford for giving me an idea for the title of this article, if not the actual article.